> > Are these fixed in 6.6? When do you expect to release > >6.6? > > > It is fixed in 6.6. I have just launched the beta start for 6.6 meanings > code in current 6.6 package will not change (except for bug corrections > found during beta). > Beta last about 2 month. > > I also updated the AWStats security page to report this vulnerability code: > http://awstats.sourceforge.net/awstats_security_news.php > It is the hole #3 in this page.
Now, the important follow up question: what patch should be applied to 6.5 (or 6.4) in order to fix this problem? As far as I can tell from comparing 6.5 to 6.6 the important change is the one that we have already included in Debian, which is: - $QueryString = CleanFromCSSA($QueryString); + $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString)); Is that correct, or am I missing some other component of the fix? thanks, Charles -- Don't put it off -- Put it on Burma-Shave http://burma-shave.org/jingles/1939/dont_put_it
signature.asc
Description: Digital signature
