Bug#378960: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
CVE-2006-3682: multiple vulnerabilities
Charles Fry
cfry at debian.org
Sat Jul 22 01:51:23 UTC 2006
> > Are these fixed in 6.6? When do you expect to release
> >6.6?
> >
> It is fixed in 6.6. I have just launched the beta start for 6.6 meanings
> code in current 6.6 package will not change (except for bug corrections
> found during beta).
> Beta last about 2 month.
>
> I also updated the AWStats security page to report this vulnerability code:
> http://awstats.sourceforge.net/awstats_security_news.php
> It is the hole #3 in this page.
Now, the important follow up question: what patch should be applied to
6.5 (or 6.4) in order to fix this problem? As far as I can tell from
comparing 6.5 to 6.6 the important change is the one that we have
already included in Debian, which is:
- $QueryString = CleanFromCSSA($QueryString);
+ $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
Is that correct, or am I missing some other component of the fix?
thanks,
Charles
--
Don't put it off -- Put it on
Burma-Shave
http://burma-shave.org/jingles/1939/dont_put_it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060721/1b7b30f1/attachment.pgp
More information about the Pkg-awstats-devel
mailing list