Date: Wed, 02 Feb 2005 00:59:36 +0200 From: Jacques Marneweck <jacques@powertrip.co.za> To: FreeBSD-gnats-submit@FreeBSD.org Cc: jacques@powertrip.co.za Subject: ports/76983: Fix security vulnerabilities in awstats < 6.3 Message-ID: <E1Cw6zg-0008oj-W3@maquis.powertrip.co.za> Resent-Message-ID: <200502012300.j11N0iXn034059@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 76983
>Category: ports
>Synopsis: Fix security vulnerabilities in awstats < 6.3
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Feb 01 23:00:42 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Jacques Marneweck
>Release: FreeBSD 5.*snip* i386
>Organization:
Powertrip Networks
>Environment:
System: FreeBSD maquis.powertrip.co.za 5.*snip* FreeBSD 5.*snip* i386
>Description:
Versions of awstats prior to 6.3 contain various security vulnerabilities,
and is listed in the VuXML and needs to be upgraded to 6.3 to close the
three holes that have been reported.
Apparently people can run shell commands in certain circumstances.
>How-To-Repeat:
>Fix:
Upgrade to awstats 6.3
--- awstats.6.3.patch begins here ---
diff -Nurd awstats.old/Makefile awstats/Makefile
--- awstats.old/Makefile Tue Jan 18 14:38:13 2005
+++ awstats/Makefile Wed Feb 2 00:42:32 2005
@@ -6,7 +6,7 @@
#
PORTNAME= awstats
-PORTVERSION= 6.2
+PORTVERSION= 6.3
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -15,8 +15,6 @@
MAINTAINER= webmaster@lightningfire.net
COMMENT= Free real-time logfile analyzer to get advanced web statistics
-FORBIDDEN= http://vuxml.FreeBSD.org/0f5a2b4d-694b-11d9-a9e7-0001020eed82.html
-
RUN_DEPENDS= ${SITE_PERL}/Net/XWhois.pm:${PORTSDIR}/net/p5-Net-XWhois
NO_BUILD= yes
@@ -51,7 +49,7 @@
${INSTALL_SCRIPT} ${WRKSRC}/tools/logresolvemerge.pl ${PREFIX}/www/awstats/tools
${INSTALL_SCRIPT} ${WRKSRC}/tools/maillogconvert.pl ${PREFIX}/www/awstats/tools
${INSTALL_SCRIPT} ${WRKSRC}/tools/urlaliasbuilder.pl ${PREFIX}/www/awstats/tools
- ${INSTALL_SCRIPT} ${WRKSRC}/tools/webmin/awstats-1.4.wbm ${PREFIX}/www/awstats/tools/webmin
+ ${INSTALL_SCRIPT} ${WRKSRC}/tools/webmin/awstats-1.5.wbm ${PREFIX}/www/awstats/tools/webmin
${INSTALL_SCRIPT} ${WRKSRC}/wwwroot/cgi-bin/awredir.pl ${PREFIX}/www/awstats/cgi-bin
${INSTALL_DATA} ${WRKSRC}/wwwroot/cgi-bin/awstats.model.conf ${PREFIX}/www/awstats/cgi-bin
${INSTALL_SCRIPT} ${WRKSRC}/wwwroot/cgi-bin/awstats.pl ${PREFIX}/www/awstats/cgi-bin
diff -Nurd awstats.old/distinfo awstats/distinfo
--- awstats.old/distinfo Fri Dec 31 13:35:09 2004
+++ awstats/distinfo Tue Feb 1 19:35:08 2005
@@ -1,2 +1,2 @@
-MD5 (awstats-6.2.tgz) = ee3096899d40e23ecdc897d752b79ac8
-SIZE (awstats-6.2.tgz) = 860606
+MD5 (awstats-6.3.tgz) = edb73007530a5800d53b9f1f90c88053
+SIZE (awstats-6.3.tgz) = 938794
diff -Nurd awstats.old/pkg-plist awstats/pkg-plist
--- awstats.old/pkg-plist Fri Dec 31 13:35:09 2004
+++ awstats/pkg-plist Wed Feb 2 00:44:16 2005
@@ -32,7 +32,6 @@
%%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_1.jpg
%%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_1.png
%%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_2.png
-%%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_3.gif
%%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_3.png
%%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_4.png
%%PORTDOCS%%%%DOCSDIR%%/images/star.png
@@ -575,7 +574,7 @@
www/awstats/tools/logresolvemerge.pl
www/awstats/tools/maillogconvert.pl
www/awstats/tools/urlaliasbuilder.pl
-www/awstats/tools/webmin/awstats-1.4.wbm
+www/awstats/tools/webmin/awstats-1.5.wbm
@dirrm www/awstats/tools/webmin
@dirrm www/awstats/tools
@dirrm www/awstats/js
--- awstats.6.3.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1Cw6zg-0008oj-W3>