Debian Bug report logs -
#364443
[CVE-2006-1945]: Cross-site scripting allows script injection in awstats 6.5 and earlier
Reported by: Micah Anderson <micah@debian.org>
Date: Sun, 23 Apr 2006 14:48:15 UTC
Severity: important
Tags: security
Found in version awstats/6.4-1sarge1
Fixed in version awstats/6.5-2
Done: Jonas Smedegaard <dr@jones.dk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: awstats
Severity: important
Tags: security
CVE-2006-1945 says:
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
and earlier allows remote attackers to inject arbitrary web script or
HTML via the config parameter.
http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
This flaw exists because input passed to "config" paremeter in
"awstats.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity. Also
doing XSS vuln. check attacker will get full path disclosure.
This affects version 6.5 (build 1.857) and earlier.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16+vserver
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Charles Fry <debian@frogcircus.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 364443@bugs.debian.org (full text, mbox, reply):
Hi Eldy,
I assume that you already know about this, but I wanted to make sure.
Even better, I'd love to have a patch to fix it, so that we can patch up
Debian. :-)
thanks,
Charles
----- Forwarded message from Micah Anderson <micah@debian.org> -----
CVE-2006-1945 says:
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
and earlier allows remote attackers to inject arbitrary web script or
HTML via the config parameter.
http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
This flaw exists because input passed to "config" paremeter in
"awstats.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity. Also
doing XSS vuln. check attacker will get full path disclosure.
This affects version 6.5 (build 1.857) and earlier.
----- End forwarded message -----
--
The answer to
A shaver's dream
A greaseless
No brush
Shaving cream
Burma-Shave
http://burma-shave.org/jingles/1934/the_answer_to
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to "Laurent Destailleur (Eldy)" <eldy@users.sourceforge.net>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #15 received at 364443@bugs.debian.org (full text, mbox, reply):
Charles Fry a écrit :
> Hi Eldy,
>
> I assume that you already know about this, but I wanted to make sure.
> Even better, I'd love to have a patch to fix it, so that we can patch up
> Debian. :-)
>
> thanks,
> Charles
>
> ----- Forwarded message from Micah Anderson <micah@debian.org> -----
>
> CVE-2006-1945 says:
>
> Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
> and earlier allows remote attackers to inject arbitrary web script or
> HTML via the config parameter.
>
> http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
>
> This flaw exists because input passed to "config" paremeter in
> "awstats.pl" isn't properly sanitised before being returned to the user.
> This could allow a user to create a specially crafted URL that would
> execute arbitrary code in a user's browser within the trust relationship
> between the browser and the server, leading to a loss of integrity. Also
> doing XSS vuln. check attacker will get full path disclosure.
>
>
Yes i was aware.
1) For the path exposure, to fix it, you can change
print "If not, you can run
\"$dir\tools\awstats_configure.pl\"\nfrom command line, or create it
manually.${tagbr}\n";
by
print "If not, you can run \"awstats_configure.pl\"\nfrom
command line, or create it manually.${tagbr}\n";
2) For the XSS,i don't think it's true (I can't see how it can be true).
The full query string is in 6.5 sanitized by the line
$QueryString = CleanFromCSSA($QueryString);
meaning there is never any javascript on generated web pages coming from
url parameters. So i can't see how a user can force AWStats to build
pages that contains XSS code coming from this parameters when this
parameters can't contains < nor > absolutely required to execute javascript.
If I want to fix this "hole", i have to add the sanitizing command
$QueryString = CleanFromCSSA($QueryString); but this already done in
6.5. So i don't know how to fix this (if there is a hole). I didn't find
anywhere a way to exploit this announce.
> This affects version 6.5 (build 1.857) and earlier.
>
> ----- End forwarded message -----
>
>
--
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy@users.sourceforge.net
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy
AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #20 received at 364443@bugs.debian.org (full text, mbox, reply):
Hello,
as mentioned in http://www.osreviews.net/reviews/comm/awstats, the
same type of XSS vulnerability also exists with the 'diricons'
parameter. In this case, Debian is affected, too.
Hendrik
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Charles Fry <debian@frogcircus.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #25 received at 364443@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> as mentioned in http://www.osreviews.net/reviews/comm/awstats, the
> same type of XSS vulnerability also exists with the 'diricons'
> parameter. In this case, Debian is affected, too.
As Eldy already explained (earlier in this bug report), the entire query
string is sanitised against XSS by a call to CleanFromCSSA. The
osreviews guys noticed that the word "Sanitize" does not surround
diricons ("and possibly others as well"), but they failed to notice the
cleaning call to CleanFromCSSA.
Eldy, would you mind clarifying for us the distinction between Sanitize
and CleanFromCSSA, and explaining why you don't always call Sanitize?
Charles
--
No sooner spread than done
Burma-Shave
http://burma-shave.org/jingles/1939/no_sooner_spread
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #30 received at 364443@bugs.debian.org (full text, mbox, reply):
Charles Fry <debian@frogcircus.org> writes:
>> as mentioned in http://www.osreviews.net/reviews/comm/awstats, the
>> same type of XSS vulnerability also exists with the 'diricons'
>> parameter. In this case, Debian is affected, too.
>
> As Eldy already explained (earlier in this bug report), the entire query
> string is sanitised against XSS by a call to CleanFromCSSA. The
> osreviews guys noticed that the word "Sanitize" does not surround
> diricons ("and possibly others as well"), but they failed to notice the
> cleaning call to CleanFromCSSA.
Exploit #1: http://www.example.com/cgi-bin/awstats.pl?diricons=%22%3E0wned!%3Cspan%20%22
Hendrik
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #35 received at 364443@bugs.debian.org (full text, mbox, reply):
Charles Fry <debian@frogcircus.org> writes:
> Any final comments on anything I'm missing before moving forward with
> this patch?
Seems fine to me.
Hendrik
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Charles Fry <debian@frogcircus.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #40 received at 364443@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> Exploit #1: http://www.example.com/cgi-bin/awstats.pl?diricons=%22%3E0wned!%3Cspan%20%22
I see. Thank you for taking the time to put these examples together for
us. :-)
I've prepared an updated patch that should take care of both bug #364443
and #365909.
Any final comments on anything I'm missing before moving forward with
this patch?
thanks,
Charles
--
As you journey
Down the years
Your mirror is
The glass that cheers
If you use
Burma-Shave
http://burma-shave.org/jingles/1936/as_you_journey
[1001_sanitize_more.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent to Jonas Smedegaard <dr@jones.dk>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micah Anderson <micah@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #45 received at 364443-close@bugs.debian.org (full text, mbox, reply):
Source: awstats
Source-Version: 6.5-2
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_6.5-2.diff.gz
to pool/main/a/awstats/awstats_6.5-2.diff.gz
awstats_6.5-2.dsc
to pool/main/a/awstats/awstats_6.5-2.dsc
awstats_6.5-2_all.deb
to pool/main/a/awstats/awstats_6.5-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 364443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 9 May 2006 23:10:43 +0200
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 364443 365909 365910
Changes:
awstats (6.5-2) unstable; urgency=high
.
[ Charles Fry ]
* Require AWSTATS_ENABLE_CONFIG_DIR environmental variable in order to
enable configdir. Closes: #365910 (thanks to Hendrik Weimer
<hendrik@enyo.de>)
* Integrated security patches from upstream:
+ Decode QueryString. Closes: #364443 (thanks to Micah Anderson
<micah@debian.org>)
+ Sanitize migrate parameter. Closes: #365909 (thanks to Hendrik Weimer
<hendrik@enyo.de>)
* Indent Homepage in long description, per debian reference guideline
.
[ Jonas Smedegaard ]
* Update local cdbs snippet copyright-check.mk:
+ Broaden scan to also look for "(c)" by default.
+ Make egrep options configurable.
* Semi-auto-update debian/control:
+ Bump up versioned build-dependency on debhelper.
* Semi-auto-update debian/copyright_hints (nothing remarkable).
* Set urgency=high as this upload fixes security-related bugs
(bug#365909: CVE-2006-2237).
* Fix including a couple of example shell scripts ignored by mistake.
Files:
bf575ea8463263271c52860d1d7904f1 759 web optional awstats_6.5-2.dsc
1829b872bf69228e57040378475e07a1 18596 web optional awstats_6.5-2.diff.gz
85e53aff0e62a8809e18232617e5aa7f 854100 web optional awstats_6.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEYQq/n7DbMsAkQLgRAiKtAJwK4hhf+YU8JANbIsdQ6kvmyujL9QCfRl3U
BCIAGnkI7rd5QDS9ZUBwze4=
=nSGA
-----END PGP SIGNATURE-----
Bug marked as found in version 6.4-1sarge1.
Request was from Charles Fry <debian@frogcircus.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #52 received at 364443@bugs.debian.org (full text, mbox, reply):
How can the diricons and config parameters be exploited? From a quick
glance I can't find an open associated with $DirIcons.
I assume $SiteConfig leads to an open() call.
Charles Fry wrote:
> Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
> ===================================================================
> --- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl 2005-11-24 15:11:19.000000000 -0500
> +++ awstats-6.5/wwwroot/cgi-bin/awstats.pl 2006-05-05 16:43:12.000000000 -0400
> @@ -5542,8 +5542,8 @@
> # No update but report by default when run from a browser
> $UpdateStats=($QueryString=~/update=1/i?1:0);
>
> - if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); }
> - if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); }
> + if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
> + if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
> if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
> if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
> # All filters
> @@ -5561,7 +5561,7 @@
>
> # If migrate
> if ($QueryString =~ /(^|-|&|&)migrate=([^&]+)/i) {
> - $MigrateStats=&DecodeEncodedString("$2");
> + $MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
> $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
> $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file
> }
> @@ -5591,8 +5591,8 @@
> # Update with no report by default when run from command line
> $UpdateStats=1;
>
> - if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; }
> - if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; }
> + if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); }
> + if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&Sanitize("$1"); }
> if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); }
> if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); }
> # All filters
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #57 received at 364443@bugs.debian.org (full text, mbox, reply):
Martin Schulze <joey@infodrom.org> writes:
> How can the diricons and config parameters be exploited? From a quick
> glance I can't find an open associated with $DirIcons.
The diricons issue is a XSS vulnerability. It has nothing to do with
the two other holes (which lead to arbitrary code execution) other
than they all are a case of missing input sanitizing.
Hendrik
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #62 received at 364443@bugs.debian.org (full text, mbox, reply):
Hendrik Weimer wrote:
> Martin Schulze <joey@infodrom.org> writes:
>
> > How can the diricons and config parameters be exploited? From a quick
> > glance I can't find an open associated with $DirIcons.
>
> The diricons issue is a XSS vulnerability. It has nothing to do with
> the two other holes (which lead to arbitrary code execution) other
> than they all are a case of missing input sanitizing.
Umh... but since the query_string is already sanitised globally
how can XSS still happen? Was the sanitising not sucessful?
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #67 received at 364443@bugs.debian.org (full text, mbox, reply):
Martin Schulze <joey@infodrom.org> writes:
> Umh... but since the query_string is already sanitised globally
> how can XSS still happen? Was the sanitising not sucessful?
AFAICS the query_string is not being decoded first. Therefore, a '>'
encoded as %3E will slip through. Version 6.5-2 contains the proper
fix.
Hendrik
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #72 received at 364443@bugs.debian.org (full text, mbox, reply):
Hendrik Weimer wrote:
> Martin Schulze <joey@infodrom.org> writes:
>
> > Umh... but since the query_string is already sanitised globally
> > how can XSS still happen? Was the sanitising not sucessful?
>
> AFAICS the query_string is not being decoded first. Therefore, a '>'
> encoded as %3E will slip through. Version 6.5-2 contains the proper
> fix.
It does. I understand now.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Thomas Kaehn <tk@westend.com>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #77 received at 364443@bugs.debian.org (full text, mbox, reply):
Hi,
will CVE-2006-2237 be fixed in Sarge? I can't see a DSA yet and the
problem is not listed as a non-vulnarability.
Ciao,
Thomas
--
Thomas Kähn WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
Lütticher Straße 10 Tel 0241/701333-11
tk@westend.com D-52064 Aachen Fax 0241/911879
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Charles Fry <debian@frogcircus.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #82 received at 364443@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> will CVE-2006-2237 be fixed in Sarge? I can't see a DSA yet and the
> problem is not listed as a non-vulnarability.
I have an updated version for Sarge that still needs to be reviewed by
Jonas, unless someone else wants to step up to the task.
Charles
--
Hit 'em high
Hit 'em low
Follow your team
Over WCCO
And win a prize
Burma-Shave
http://burma-shave.org/jingles/1933/hit_em_high
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
:
Bug#364443
; Package awstats
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #87 received at 364443@bugs.debian.org (full text, mbox, reply):
Thomas Kaehn wrote:
> Hi,
>
> will CVE-2006-2237 be fixed in Sarge? I can't see a DSA yet and the
> problem is not listed as a non-vulnarability.
I was working on this already.
Regards,
Joey
--
The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin
Please always Cc to me when replying to me on the lists.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 09:47:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:47:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.