Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3714 to the following vulnerability: Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945. References: http://bugs.gentoo.org/show_bug.cgi?id=235225 Upstream patch: http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912 Upstream bug report: http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764
CVE-2008-3714: This issue affects the versions of the awstats package as shipped with Fedora 8, Fedora 9 and version of the awstats package, as shipped within the Extra Packages for Enterprise Linux (EPEL) project.
I am having issues accessing the Fedora CVS server to update the package. I know the Infrastructure team is fixing a pretty big problem, is there any way we could update this package ?
Aurelien, there's not alternate way at the moment, afaik. So we'll have to wait until infrastructure is restored again, which will hopefully happen soon now.
For some reason an EPEL5 bug didn't get opened so I created bug #459865. Can't work out how to make it Fedora contributor-only though.
awstats-6.8-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
awstats-6.8-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-7684 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-7663