Bug 225007 - www/awstats: Update to 7.7 (security)
Summary: www/awstats: Update to 7.7 (security)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Danilo G. Baio
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2018-01-08 17:17 UTC by Vidar Karlsen
Modified: 2018-01-11 13:01 UTC (History)
1 user (show)

See Also:
dbaio: merge-quarterly+


Attachments
svn diff for awstats update from 7.6 to 7.7 (1016 bytes, patch)
2018-01-08 17:17 UTC, Vidar Karlsen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vidar Karlsen 2018-01-08 17:17:03 UTC
Created attachment 189529 [details]
svn diff for awstats update from 7.6 to 7.7

Release notes for awstats 7.7 (from upstream):
Security fix: CVE-2017-1000501 [1]
Security fix: Missing sanitizing of parameters
Fix LogFormat=4 with url containing spaces.
Fix to window.opener vulnerability in external referral site links.
Add methodurlprot in key to define log format.
Add Dynamic DNS Lookup.
Fix edge support.

[1] CVE-2017-1000501: Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.

poudriere testport ok on:
* 11.1 amd64
* 11.1 i386
* 10.4 amd64
* 10.4 i386
* 10.3 amd64
* 10.3 i386

portlint -C: looks fine.

Also requesting maintainership as this port has no maintainer.
Comment 1 commit-hook freebsd_committer 2018-01-08 23:04:54 UTC
A commit references this bug:

Author: dbaio
Date: Mon Jan  8 23:03:55 UTC 2018
New revision: 458494
URL: https://svnweb.freebsd.org/changeset/ports/458494

Log:
  security/vuxml: Document vulnerability in www/awstats

  Security:	CVE-2017-1000501

  PR:		225007
  Reported by:	Vidar Karlsen <vidar@karlsen.tech>

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer 2018-01-08 23:10:00 UTC
A commit references this bug:

Author: dbaio
Date: Mon Jan  8 23:09:28 UTC 2018
New revision: 458496
URL: https://svnweb.freebsd.org/changeset/ports/458496

Log:
  www/awstats: Update to 7.7, Fixes security vulnerability

  Pass MAINTAINER'ship to submitter.

  Changes:	http://www.awstats.org/docs/awstats_changelog.txt

  PR:		225007
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  MFH:		2018Q1
  Security:	4055aee5-f4c6-11e7-95f2-005056925db4

Changes:
  head/www/awstats/Makefile
  head/www/awstats/distinfo
Comment 3 commit-hook freebsd_committer 2018-01-11 12:59:44 UTC
A commit references this bug:

Author: dbaio
Date: Thu Jan 11 12:59:14 UTC 2018
New revision: 458727
URL: https://svnweb.freebsd.org/changeset/ports/458727

Log:
  MFH: r458496

  www/awstats: Update to 7.7, Fixes security vulnerability

  Pass MAINTAINER'ship to submitter.

  Changes:	http://www.awstats.org/docs/awstats_changelog.txt

  PR:		225007
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Security:	4055aee5-f4c6-11e7-95f2-005056925db4

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/www/awstats/Makefile
  branches/2018Q1/www/awstats/distinfo
Comment 4 Danilo G. Baio freebsd_committer 2018-01-11 13:01:21 UTC
Committed, thanks!