From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Feb 1 23:00:46 2005 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFBD216A4CF for ; Tue, 1 Feb 2005 23:00:46 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2784C43D4C for ; Tue, 1 Feb 2005 23:00:45 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j11N0jbv034060 for ; Tue, 1 Feb 2005 23:00:45 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j11N0iXn034059; Tue, 1 Feb 2005 23:00:44 GMT (envelope-from gnats) Resent-Date: Tue, 1 Feb 2005 23:00:44 GMT Resent-Message-Id: <200502012300.j11N0iXn034059@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jacques Marneweck Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FEBD16A4CF for ; Tue, 1 Feb 2005 22:59:38 +0000 (GMT) Received: from avenger.firstier.co.za (avenger.firstier.co.za [67.18.204.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id E635143D4C for ; Tue, 1 Feb 2005 22:59:37 +0000 (GMT) (envelope-from root@maquis.powertrip.co.za) Received: from [65.75.184.91] (helo=ns1.yourwebhost.co.za) by avenger.firstier.co.za with esmtp (Exim 4.42 (FreeBSD)) id 1Cw7Aj-000BtF-TV for FreeBSD-gnats-submit@freebsd.org; Wed, 02 Feb 2005 01:11:01 +0200 Received: from root by maquis.powertrip.co.za with local (Exim 4.34; FreeBSD) id 1Cw6zg-0008oj-W3; Wed, 02 Feb 2005 00:59:36 +0200 Message-Id: Date: Wed, 02 Feb 2005 00:59:36 +0200 From: Jacques Marneweck To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: jacques@powertrip.co.za Subject: ports/76983: Fix security vulnerabilities in awstats < 6.3 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jacques Marneweck List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Feb 2005 23:00:46 -0000 >Number: 76983 >Category: ports >Synopsis: Fix security vulnerabilities in awstats < 6.3 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 01 23:00:42 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jacques Marneweck >Release: FreeBSD 5.*snip* i386 >Organization: Powertrip Networks >Environment: System: FreeBSD maquis.powertrip.co.za 5.*snip* FreeBSD 5.*snip* i386 >Description: Versions of awstats prior to 6.3 contain various security vulnerabilities, and is listed in the VuXML and needs to be upgraded to 6.3 to close the three holes that have been reported. Apparently people can run shell commands in certain circumstances. >How-To-Repeat: >Fix: Upgrade to awstats 6.3 --- awstats.6.3.patch begins here --- diff -Nurd awstats.old/Makefile awstats/Makefile --- awstats.old/Makefile Tue Jan 18 14:38:13 2005 +++ awstats/Makefile Wed Feb 2 00:42:32 2005 @@ -6,7 +6,7 @@ # PORTNAME= awstats -PORTVERSION= 6.2 +PORTVERSION= 6.3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -15,8 +15,6 @@ MAINTAINER= webmaster@lightningfire.net COMMENT= Free real-time logfile analyzer to get advanced web statistics -FORBIDDEN= http://vuxml.FreeBSD.org/0f5a2b4d-694b-11d9-a9e7-0001020eed82.html - RUN_DEPENDS= ${SITE_PERL}/Net/XWhois.pm:${PORTSDIR}/net/p5-Net-XWhois NO_BUILD= yes @@ -51,7 +49,7 @@ ${INSTALL_SCRIPT} ${WRKSRC}/tools/logresolvemerge.pl ${PREFIX}/www/awstats/tools ${INSTALL_SCRIPT} ${WRKSRC}/tools/maillogconvert.pl ${PREFIX}/www/awstats/tools ${INSTALL_SCRIPT} ${WRKSRC}/tools/urlaliasbuilder.pl ${PREFIX}/www/awstats/tools - ${INSTALL_SCRIPT} ${WRKSRC}/tools/webmin/awstats-1.4.wbm ${PREFIX}/www/awstats/tools/webmin + ${INSTALL_SCRIPT} ${WRKSRC}/tools/webmin/awstats-1.5.wbm ${PREFIX}/www/awstats/tools/webmin ${INSTALL_SCRIPT} ${WRKSRC}/wwwroot/cgi-bin/awredir.pl ${PREFIX}/www/awstats/cgi-bin ${INSTALL_DATA} ${WRKSRC}/wwwroot/cgi-bin/awstats.model.conf ${PREFIX}/www/awstats/cgi-bin ${INSTALL_SCRIPT} ${WRKSRC}/wwwroot/cgi-bin/awstats.pl ${PREFIX}/www/awstats/cgi-bin diff -Nurd awstats.old/distinfo awstats/distinfo --- awstats.old/distinfo Fri Dec 31 13:35:09 2004 +++ awstats/distinfo Tue Feb 1 19:35:08 2005 @@ -1,2 +1,2 @@ -MD5 (awstats-6.2.tgz) = ee3096899d40e23ecdc897d752b79ac8 -SIZE (awstats-6.2.tgz) = 860606 +MD5 (awstats-6.3.tgz) = edb73007530a5800d53b9f1f90c88053 +SIZE (awstats-6.3.tgz) = 938794 diff -Nurd awstats.old/pkg-plist awstats/pkg-plist --- awstats.old/pkg-plist Fri Dec 31 13:35:09 2004 +++ awstats/pkg-plist Wed Feb 2 00:44:16 2005 @@ -32,7 +32,6 @@ %%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_1.jpg %%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_1.png %%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_2.png -%%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_3.gif %%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_3.png %%PORTDOCS%%%%DOCSDIR%%/images/screen_shot_4.png %%PORTDOCS%%%%DOCSDIR%%/images/star.png @@ -575,7 +574,7 @@ www/awstats/tools/logresolvemerge.pl www/awstats/tools/maillogconvert.pl www/awstats/tools/urlaliasbuilder.pl -www/awstats/tools/webmin/awstats-1.4.wbm +www/awstats/tools/webmin/awstats-1.5.wbm @dirrm www/awstats/tools/webmin @dirrm www/awstats/tools @dirrm www/awstats/js --- awstats.6.3.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: