Comment 1 Edwin Groothuis 2008-12-26 16:10:12 UTC

Responsible Changed
From-To: freebsd-ports-bugs->miwi

miwi@ wants his PRs (via the GNATS Auto Assign Tool)

Comment 2 Edwin Groothuis 2008-12-26 16:10:15 UTC

Maintainer of www/awstats,

Please note that PR ports/129957 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/129957

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org

Comment 3 Edwin Groothuis 2008-12-26 16:10:18 UTC

State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)

Comment 4 Oleksii Samorukov 2008-12-26 17:25:55 UTC

Please, commit this patch

Comment 5 Mark Linimon 2009-01-04 01:03:13 UTC

State Changed
From-To: feedback->suspended

Maintainer approved, but also approved ports/130143 which contains an 
update.  However, that one doesn't contain the VuXML entry, so mark 
this as 'suspended' to flag that.

Comment 6 dfilter service 2009-01-04 06:18:11 UTC

chinsan     2009-01-04 06:18:02 UTC

  FreeBSD ports repository

  Modified files:
    www/awstats          Makefile distinfo pkg-plist 
    www/awstats/files    patch-wwwroot-cgi-bin-awstats.pl 
  Added files:
    www/awstats/files    patch-CVE-2008-3714 
  Log:
  - Update to 6.9
    Changes 6.9:
      New features/improvements:
      - With postfix that support DSN (Delivery Status Notifications) we exclude
        some lines to avoid counting mails twice in maillogconvert.pl script.
      - Logresolvemerge.pl support FreeRADIUS logs or anything else using (the
        fixed length!) ctime format timestamp.
      - Add option stoponfirsteof in logresolvemerge tool.
      - Add patch to support host_proxy tag in LogFormat (for Apache LogFormat
        containing %{X-Forwarded-For}i)
      - Renamed Add to favourites on "Hit on favicon".
      - Increase robots, search engines database (Added Google Chrome browser,
        better Vista, WII, detection, ...)
      - Update languages files.
      - Added a lot of patch from sourceforge.
  
      Fixes:
      - Fixed broken maxmind citi, org and isp plugins.
      - Remove   in name html tag to have HtmlHeadSection first.
      - Fix: [ 2001151 ] Security fix.
      - Fix: [ 2038681 ] missing <br _/_> in plugins/geoip_org_maxmind.pm
      - Fix: [ 1921942 ] html footer is missing from the allextraN report.
      - Fix: [ 1943466 ] error geoip_city_maxmind Can't locate object method "record_
      - Fix: [ 1808277 ] Incorrect function call in geoip_isp_maxmind.pm
      - Fix: Full list of extrasections was not ordered correctly
      - A lot of other fixes.
      - Added missing icons
  
      Other/Documentation:
      - None
  
  - Fix CVE-2008-3714 from the upstream
    (Sec: Enhance security of sanitizing parameters)
    http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.925&r2=1.926
  
  PR:             ports/129957,
                  ports/130143
  Submitted by:   Eygene Ryabinkin <rea-fbsd _at\ codelabs.ru>,
                  Naram Qashat <cyberbotx -at\ cyberbotx.com>
  Approved by:    Alex Samorukov (maintainer)
  Security:       http://secunia.com/advisories/31519
  
  Revision  Changes    Path
  1.41      +10 -8     ports/www/awstats/Makefile
  1.24      +3 -3      ports/www/awstats/distinfo
  1.1       +22 -0     ports/www/awstats/files/patch-CVE-2008-3714 (new)
  1.3       +11 -11    ports/www/awstats/files/patch-wwwroot-cgi-bin-awstats.pl
  1.23      +13 -0     ports/www/awstats/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"

Comment 7 chinsan 2009-01-04 06:18:34 UTC

State Changed
From-To: suspended->closed

Committed, thanks.

Comment 8 dfilter service 2009-01-04 06:21:52 UTC

chinsan     2009-01-04 06:21:42 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document awstats -- multiple XSS vulnerabilities
  
  PR:             ports/129957
  Submitted by:   Eygene Ryabinkin <rea-fbsd _at\ codelabs.ru>
  Approved by:    Alex Samorukov (maintainer)
  Security:       http://secunia.com/advisories/31519
  
  Revision  Changes    Path
  1.1803    +37 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"

Mark, good day.

Sun, Jan 04, 2009 at 01:06:41AM +0000, linimon@FreeBSD.org wrote:
> Synopsis: [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080
> 
> State-Changed-From-To: feedback->suspended
> State-Changed-By: linimon
> State-Changed-When: Sun Jan 4 01:03:13 UTC 2009
> State-Changed-Why: 
> Maintainer approved, but also approved ports/130143 which contains an
> update.  However, that one doesn't contain the VuXML entry, so mark
> this as 'suspended' to flag that.

Thanks for noting this!  Although the patch for CVEs was committed, it
will be better to use the following patch that redoes maintainer's
attempt to fix the thing and adds the correct patch.

--- awstats.pl.diff begins here ---
--- wwwroot/cgi-bin/awstats.pl.orig	2009-01-06 22:01:04.000000000 +0300
+++ wwwroot/cgi-bin/awstats.pl	2009-01-06 22:03:09.000000000 +0300
@@ -7521,8 +7521,8 @@
 sub DecodeEncodedString {
 	my $stringtodecode = shift;
 	$stringtodecode =~ tr/\+/ /s;
-	$stringtodecode =~ s/%22//g;
 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+	$stringtodecode =~ s/["']//g;
 	return $stringtodecode;
 }
 
--- awstats.pl.diff ends here ---

The committed patch is good too, but to avoid confusion and do the proper
thing from the beginning, this variant will be better.

On the slightly related topic: seems like awstats-devel is broken,
because all sites have released version now:
-----
=> awstats-6.8.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from http://awstats.sourceforge.net/files/.
fetch: http://awstats.sourceforge.net/files/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851
=> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/ and try again.
*** Error code 1

Stop in /usr/ports/www/awstats-devel.
-----
May be it should be marked as BROKEN?  The normal (non-devel) port is
on the higher version now, so once someone will have time and passion
to unbreak the port, he will do it.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #

Comment 10 Martin Wilke 2009-01-06 19:17:51 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jan 06, 2009 at 10:15:11PM +0300, Eygene Ryabinkin wrote:
> Mark, good day.
> 
> Sun, Jan 04, 2009 at 01:06:41AM +0000, linimon@FreeBSD.org wrote:
> > Synopsis: [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080
> > 
> > State-Changed-From-To: feedback->suspended
> > State-Changed-By: linimon
> > State-Changed-When: Sun Jan 4 01:03:13 UTC 2009
> > State-Changed-Why: 
> > Maintainer approved, but also approved ports/130143 which contains an
> > update.  However, that one doesn't contain the VuXML entry, so mark
> > this as 'suspended' to flag that.
> 
> Thanks for noting this!  Although the patch for CVEs was committed, it
> will be better to use the following patch that redoes maintainer's
> attempt to fix the thing and adds the correct patch.
> 
> --- awstats.pl.diff begins here ---
> --- wwwroot/cgi-bin/awstats.pl.orig	2009-01-06 22:01:04.000000000 +0300
> +++ wwwroot/cgi-bin/awstats.pl	2009-01-06 22:03:09.000000000 +0300
> @@ -7521,8 +7521,8 @@
>  sub DecodeEncodedString {
>  	my $stringtodecode = shift;
>  	$stringtodecode =~ tr/\+/ /s;
> -	$stringtodecode =~ s/%22//g;
>  	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
> +	$stringtodecode =~ s/["']//g;
>  	return $stringtodecode;
>  }
>  
> --- awstats.pl.diff ends here ---
> 
> The committed patch is good too, but to avoid confusion and do the proper
> thing from the beginning, this variant will be better.
> 
> On the slightly related topic: seems like awstats-devel is broken,
> because all sites have released version now:
> -----
> => awstats-6.8.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
> => Attempting to fetch from http://awstats.sourceforge.net/files/.
> fetch: http://awstats.sourceforge.net/files/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851
> => Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.
> fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851
> => Couldn't fetch it - please try to retrieve this
> => port manually into /usr/ports/distfiles/ and try again.
> *** Error code 1
> 

awstats-devel is marked as forbidden few days ago.


> Stop in /usr/ports/www/awstats-devel.
> -----
> May be it should be marked as BROKEN?  The normal (non-devel) port is
> on the higher version now, so once someone will have time and passion
> to unbreak the port, he will do it.
> -- 
> Eygene
>  _                ___       _.--.   #
>  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
>  /  ' `         ,       __.--'      #  to read the on-line manual
>  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
>  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
>      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
>     {_.-``-'         {_/            #
> 

- -- 

+-----------------------+-------------------------------+
|  PGP    : 0x05682353  |  Jabber : miwi(at)BSDCrew.de  |
|  ICQ    : 169139903   |  Mail   : miwi(at)FreeBSD.org |
+-----------------------+-------------------------------+
|	Mess with the Best, Die like the Rest!		|
+-----------------------+-------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkljrl8ACgkQFwpycAVoI1NHhgCfYtYParwgjw3GdDEEM2CCuiPS
96cAnRpZ328zC0Uss/XEnCfIVyEYeBkg
=xLlZ
-----END PGP SIGNATURE-----

Martin, good day.

Tue, Jan 06, 2009 at 08:17:51PM +0100, Martin Wilke wrote:
> awstats-devel is marked as forbidden few days ago.

Err, sorry: should check the current ports tree prior to spitting
"bright ideas".
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #

On Tue, Jan 06, 2009 at 10:15:11PM +0300, Eygene Ryabinkin wrote:
> Thanks for noting this!  Although the patch for CVEs was committed, it
> will be better to use the following patch that redoes maintainer's
> attempt to fix the thing and adds the correct patch.

miwi, chinsan, could either of you take a look at this?  Thanks.

mcl

On Wed, Jan 7, 2009 at 2:11 PM, Mark Linimon <linimon@lonesome.com> wrote:
> On Tue, Jan 06, 2009 at 10:15:11PM +0300, Eygene Ryabinkin wrote:
>> Thanks for noting this!  Although the patch for CVEs was committed, it
>> will be better to use the following patch that redoes maintainer's
>> attempt to fix the thing and adds the correct patch.
>
> miwi, chinsan, could either of you take a look at this?  Thanks.
>
> mcl
>

ok, done. :)