rpms/awstats/EL-5 awstats-6.7-CVE-2008-3714.patch, NONE, 1.1 awstats.spec, 1.21, 1.22
Tim Jackson
timj at fedoraproject.org
Sat Aug 23 09:04:12 UTC 2008
- Previous message (by thread): rpms/ruby/devel .cvsignore, 1.26, 1.27 ruby-rubyprefix.patch, 1.4, 1.5 ruby.spec, 1.122, 1.123 sources, 1.25, 1.26 ruby-1.8.6.230-p238.patch, 1.1, NONE ruby-1.8.6.230-p248.patch, 1.1, NONE ruby-1.8.6.230-p257.patch, 1.1, NONE ruby-1.8.6.230-string-str_buf_cat.patch, 1.1, NONE
- Next message (by thread): rpms/ruby/F-9 .cvsignore, 1.26, 1.27 ruby.spec, 1.120, 1.121 sources, 1.24, 1.25 ruby-1.8.6.230-p238.patch, 1.1, NONE ruby-1.8.6.230-p248.patch, 1.1, NONE ruby-1.8.6.230-p257.patch, 1.1, NONE ruby-1.8.6.230-string-str_buf_cat.patch, 1.1, NONE ruby-fix-autoconf-magic-code.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: timj
Update of /cvs/extras/rpms/awstats/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29442
Modified Files:
awstats.spec
Added Files:
awstats-6.7-CVE-2008-3714.patch
Log Message:
Fix CVE-2008-3714: cross-site scripting security issue (#459605)
awstats-6.7-CVE-2008-3714.patch:
--- NEW FILE awstats-6.7-CVE-2008-3714.patch ---
Adapted from:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
diff -ur awstats-6.7/wwwroot/cgi-bin/awstats.pl awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl
--- awstats-6.7/wwwroot/cgi-bin/awstats.pl 2007-07-07 12:00:06.000000000 +0100
+++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl 2008-08-23 09:21:31.000000000 +0100
@@ -4380,6 +4380,7 @@
sub DecodeEncodedString {
my $stringtodecode=shift;
$stringtodecode =~ tr/\+/ /s;
+ $stringtodecode =~ s/%22//g;
$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
return $stringtodecode;
}
@@ -4432,9 +4433,12 @@
#------------------------------------------------------------------------------
sub CleanXSS {
my $stringtoclean=shift;
+ # To avoid html tags and javascript
$stringtoclean =~ s/</</g;
$stringtoclean =~ s/>/>/g;
$stringtoclean =~ s/|//g;
+ # To avoid onload="
+ $stringtoclean =~ s/onload//g;
return $stringtoclean;
}
Index: awstats.spec
===================================================================
RCS file: /cvs/extras/rpms/awstats/EL-5/awstats.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- awstats.spec 16 Mar 2008 10:35:47 -0000 1.21
+++ awstats.spec 23 Aug 2008 09:03:41 -0000 1.22
@@ -1,18 +1,19 @@
Name: awstats
Version: 6.7
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Advanced Web Statistics
License: GPLv2
Group: Applications/Internet
URL: http://awstats.sourceforge.net
Source0: http://dl.sf.net/awstats/awstats-%{version}.tar.gz
-#Source0: http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
Source1: awstats.README.SELinux
# Fix pb in xml output for history files
# http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.892&r2=1.894&view=patch
Patch0: awstats-6.7-xmlhistory.patch
+Patch1: awstats-6.7-CVE-2008-3714.patch
+
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: checkpolicy, selinux-policy-devel
@@ -50,9 +51,8 @@
%prep
%setup -q
-# No backup or it will be installed
-#%%patch0 -p0 -b .xmlhistory
%patch0 -p0
+%patch1 -p1
# Fix style sheets.
perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
# Fix some bad file permissions here for convenience.
@@ -218,6 +218,9 @@
%changelog
+* Sat Aug 23 2008 Tim Jackson <rpm at timj.co.uk> 6.7-3
+- Fix CVE-2008-3714: cross-site scripting security issue (#459605)
+
* Sun Mar 16 2008 Tim Jackson <rpm at timj.co.uk> 6.7-2
- awstats does not actually require httpd (#406901)
- Fix cron script to be compatible with SELinux (#435101)
- Previous message (by thread): rpms/ruby/devel .cvsignore, 1.26, 1.27 ruby-rubyprefix.patch, 1.4, 1.5 ruby.spec, 1.122, 1.123 sources, 1.25, 1.26 ruby-1.8.6.230-p238.patch, 1.1, NONE ruby-1.8.6.230-p248.patch, 1.1, NONE ruby-1.8.6.230-p257.patch, 1.1, NONE ruby-1.8.6.230-string-str_buf_cat.patch, 1.1, NONE
- Next message (by thread): rpms/ruby/F-9 .cvsignore, 1.26, 1.27 ruby.spec, 1.120, 1.121 sources, 1.24, 1.25 ruby-1.8.6.230-p238.patch, 1.1, NONE ruby-1.8.6.230-p248.patch, 1.1, NONE ruby-1.8.6.230-p257.patch, 1.1, NONE ruby-1.8.6.230-string-str_buf_cat.patch, 1.1, NONE ruby-fix-autoconf-magic-code.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list