Hi Laurent, Can you please comment on these vulnerabilities, especially CVE-2006-3681? Are these fixed in 6.6? When do you expect to release 6.6?
thanks, Charles -----Original Message----- > From: Alec Berryman <[EMAIL PROTECTED]> > Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681 > CVE-2006-3682: multiple vulnerabilities > Date: Wed, 19 Jul 2006 22:32:54 -0400 > To: Debian Bug Tracking System <[EMAIL PROTECTED]> > Reply-To: Alec Berryman <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > > Package: awstats > Version: 6.5-2 > Severity: serious > Tags: security > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in > awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers > to inject arbitrary web script or HTML via the (1) refererpagesfilter, > (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5) > hostfilter, or (6) hostfilterex parameters, a different set of vectors > than CVE-2006-1945." > > CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows > remote attackers to obtain the installation path via the (1) year, (2) > pluginmode or (3) month parameters." > > I have not verified either vulnerability. The original advisory [1] > has sample exploits. > > This is not the same as #364443 or #365909. Sarge is probably affected. > > Please mention the CVEs in your changelog. > > Thanks, > > Alec > > [1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (GNU/Linux) > > iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7 > 5nTPB7EkA5xCCZLPv6xgF7I= > =AN2l > -----END PGP SIGNATURE----- > > > _______________________________________________ > Pkg-awstats-devel mailing list > [EMAIL PROTECTED] > http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel -- Unless Your face Is stinger free You'd better let Your honey be Burma-Shave http://burma-shave.org/jingles/1951/unless
signature.asc
Description: Digital signature