Bug 225007 - www/awstats: Update to 7.7 (security)
Summary: www/awstats: Update to 7.7 (security)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Danilo G. Baio
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2018-01-08 17:17 UTC by Vidar Karlsen
Modified: 2018-01-11 13:01 UTC (History)
1 user (show)

See Also:
dbaio: merge-quarterly+

Attachments
svn diff for awstats update from 7.6 to 7.7 (1016 bytes, patch)
2018-01-08 17:17 UTC, Vidar Karlsen 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vidar Karlsen 2018-01-08 17:17:03 UTC 
Created attachment 189529 [details]
svn diff for awstats update from 7.6 to 7.7

Release notes for awstats 7.7 (from upstream):
Security fix: CVE-2017-1000501 [1]
Security fix: Missing sanitizing of parameters
Fix LogFormat=4 with url containing spaces.
Fix to window.opener vulnerability in external referral site links.
Add methodurlprot in key to define log format.
Add Dynamic DNS Lookup.
Fix edge support.

[1] CVE-2017-1000501: Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.

poudriere testport ok on:
* 11.1 amd64
* 11.1 i386
* 10.4 amd64
* 10.4 i386
* 10.3 amd64
* 10.3 i386

portlint -C: looks fine.

Also requesting maintainership as this port has no maintainer.
Comment 1 commit-hook freebsd_committer freebsd_triage 2018-01-08 23:04:54 UTC 
A commit references this bug:

Author: dbaio
Date: Mon Jan  8 23:03:55 UTC 2018
New revision: 458494
URL: https://svnweb.freebsd.org/changeset/ports/458494

Log:
  security/vuxml: Document vulnerability in www/awstats

  Security:	CVE-2017-1000501

  PR:		225007
  Reported by:	Vidar Karlsen <vidar@karlsen.tech>

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-01-08 23:10:00 UTC 
A commit references this bug:

Author: dbaio
Date: Mon Jan  8 23:09:28 UTC 2018
New revision: 458496
URL: https://svnweb.freebsd.org/changeset/ports/458496

Log:
  www/awstats: Update to 7.7, Fixes security vulnerability

  Pass MAINTAINER'ship to submitter.

  Changes:	http://www.awstats.org/docs/awstats_changelog.txt

  PR:		225007
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  MFH:		2018Q1
  Security:	4055aee5-f4c6-11e7-95f2-005056925db4

Changes:
  head/www/awstats/Makefile
  head/www/awstats/distinfo
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-01-11 12:59:44 UTC 
A commit references this bug:

Author: dbaio
Date: Thu Jan 11 12:59:14 UTC 2018
New revision: 458727
URL: https://svnweb.freebsd.org/changeset/ports/458727

Log:
  MFH: r458496

  www/awstats: Update to 7.7, Fixes security vulnerability

  Pass MAINTAINER'ship to submitter.

  Changes:	http://www.awstats.org/docs/awstats_changelog.txt

  PR:		225007
  Submitted by:	Vidar Karlsen <vidar@karlsen.tech>
  Security:	4055aee5-f4c6-11e7-95f2-005056925db4

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/www/awstats/Makefile
  branches/2018Q1/www/awstats/distinfo
Comment 4 Danilo G. Baio freebsd_committer freebsd_triage 2018-01-11 13:01:21 UTC 
Committed, thanks!