[Pkg-awstats-devel] Please unblock awstats 6.7.dfsg-5

Andreas Henriksson andreas at fatal.se
Sun Aug 17 12:28:04 UTC 2008 

Hello!

Please unblock awstats 6.7.dfsg-5, which I just uploaded.
It includes a simple patch from upstream to fix a XSS issue (rated
important by the security team, but can't hurt to include it in Lenny).
The relevant debian bug number is #495432.

Here's the debdiff between -4 and -5:

diff -u awstats-6.7.dfsg/debian/changelog awstats-6.7.dfsg/debian/changelog
--- awstats-6.7.dfsg/debian/changelog
+++ awstats-6.7.dfsg/debian/changelog
@@ -1,3 +1,11 @@
+awstats (6.7.dfsg-5) unstable; urgency=low
+
+  * Add debian/patches/0001_awstats69beta_xss.patch,
+    upstream security fix from 6.9 beta to fix XSS.
+    (Closes: #495432, upstream bug 2001151)
+
+ -- Andreas Henriksson <andreas at fatal.se>  Sun, 17 Aug 2008 13:54:04 +0200
+
 awstats (6.7.dfsg-4) unstable; urgency=low
 
   * Update local cdbs snippets:
diff -u awstats-6.7.dfsg/debian/patches/series awstats-6.7.dfsg/debian/patches/series
--- awstats-6.7.dfsg/debian/patches/series
+++ awstats-6.7.dfsg/debian/patches/series
@@ -1,3 +1,4 @@
+0001_awstats69beta_xss.patch
 1002_disable_configdir.patch
 1003_redirect_to_STDERR.patch
 1004_perl_version.patch
only in patch2:
unchanged:
--- awstats-6.7.dfsg.orig/debian/patches/0001_awstats69beta_xss.patch
+++ awstats-6.7.dfsg/debian/patches/0001_awstats69beta_xss.patch
@@ -0,0 +1,23 @@
+--- a/wwwroot/cgi-bin/awstats.pl	2008/04/21 21:13:28	1.910
++++ b/wwwroot/cgi-bin/awstats.pl	2008/07/27 17:41:57	1.911
+@@ -4380,6 +4380,7 @@
+ sub DecodeEncodedString {
+ 	my $stringtodecode=shift;
+ 	$stringtodecode =~ tr/\+/ /s;
++	$stringtodecode =~ s/%22//g;
+ 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+ 	return $stringtodecode;
+ }
+@@ -4432,9 +4433,12 @@
+ #------------------------------------------------------------------------------
+ sub CleanXSS {
+ 	my $stringtoclean=shift;
++	# To avoid html tags and javascript
+ 	$stringtoclean =~ s/</&lt;/g;
+ 	$stringtoclean =~ s/>/&gt;/g;
+ 	$stringtoclean =~ s/|//g;
++	# To avoid onload="
++	$stringtoclean =~ s/onload//g;
+ 	return $stringtoclean;
+ }
+

More information about the Pkg-awstats-devel mailing list