[Pkg-awstats-devel] Please unblock awstats 6.7.dfsg-5
Andreas Henriksson
andreas at fatal.se
Sun Aug 17 12:28:04 UTC 2008
Hello!
Please unblock awstats 6.7.dfsg-5, which I just uploaded.
It includes a simple patch from upstream to fix a XSS issue (rated
important by the security team, but can't hurt to include it in Lenny).
The relevant debian bug number is #495432.
Here's the debdiff between -4 and -5:
diff -u awstats-6.7.dfsg/debian/changelog awstats-6.7.dfsg/debian/changelog
--- awstats-6.7.dfsg/debian/changelog
+++ awstats-6.7.dfsg/debian/changelog
@@ -1,3 +1,11 @@
+awstats (6.7.dfsg-5) unstable; urgency=low
+
+ * Add debian/patches/0001_awstats69beta_xss.patch,
+ upstream security fix from 6.9 beta to fix XSS.
+ (Closes: #495432, upstream bug 2001151)
+
+ -- Andreas Henriksson <andreas at fatal.se> Sun, 17 Aug 2008 13:54:04 +0200
+
awstats (6.7.dfsg-4) unstable; urgency=low
* Update local cdbs snippets:
diff -u awstats-6.7.dfsg/debian/patches/series awstats-6.7.dfsg/debian/patches/series
--- awstats-6.7.dfsg/debian/patches/series
+++ awstats-6.7.dfsg/debian/patches/series
@@ -1,3 +1,4 @@
+0001_awstats69beta_xss.patch
1002_disable_configdir.patch
1003_redirect_to_STDERR.patch
1004_perl_version.patch
only in patch2:
unchanged:
--- awstats-6.7.dfsg.orig/debian/patches/0001_awstats69beta_xss.patch
+++ awstats-6.7.dfsg/debian/patches/0001_awstats69beta_xss.patch
@@ -0,0 +1,23 @@
+--- a/wwwroot/cgi-bin/awstats.pl 2008/04/21 21:13:28 1.910
++++ b/wwwroot/cgi-bin/awstats.pl 2008/07/27 17:41:57 1.911
+@@ -4380,6 +4380,7 @@
+ sub DecodeEncodedString {
+ my $stringtodecode=shift;
+ $stringtodecode =~ tr/\+/ /s;
++ $stringtodecode =~ s/%22//g;
+ $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+ return $stringtodecode;
+ }
+@@ -4432,9 +4433,12 @@
+ #------------------------------------------------------------------------------
+ sub CleanXSS {
+ my $stringtoclean=shift;
++ # To avoid html tags and javascript
+ $stringtoclean =~ s/</</g;
+ $stringtoclean =~ s/>/>/g;
+ $stringtoclean =~ s/|//g;
++ # To avoid onload="
++ $stringtoclean =~ s/onload//g;
+ return $stringtoclean;
+ }
+
More information about the Pkg-awstats-devel
mailing list