Hide Forgot
It was discovered that the upstream patch for cross-site scripting (XSS) issue in awstats known as CVE-2008-3714 does not completely resolve the problem and it still allows injection of quote characters. Improved patch is available in the Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432#21 It strips quotes only after URL-decoding %-escaped strings was done, rather than before. Patch is included in the Debian security advisory DSA-1679-1: http://www.debian.org/security/2008/dsa-1679
awstats-6.8-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/awstats-6.8-3.fc10
awstats-6.8-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
awstats-6.8-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
awstats-6.8-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
I have built it in EPEL5 with the additional fix.