| Summary: | awstats does not work with perl 5.14 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Yann Ciret <mageia> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | dmorganec, guillomovitch, jquelin, luigiwalser, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | mga2-32-OK mga2-64-OK | ||
| Source RPM: | awstats-7.0-1.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
awstats conf file
log file to analyse |
||
|
Description
Yann Ciret
2012-09-18 19:39:50 CEST
Created attachment 2823 [details]
awstats conf file
Created attachment 2824 [details]
log file to analyse
I think it is the same problem encounter in this closed bug : https://bugs.mageia.org/show_bug.cgi?id=3694
Manuel Hiebel
2012-09-23 21:07:46 CEST
Assignee:
bugsquad =>
dmorganec Jérôme, can you investiguate if this is a perl problem ? Thank you CC:
(none) =>
jquelin i don't think it's directly related to perl. 1- the program doesn't crash or complains about a missing pkg 2- in fact, it only requires the following modules: perl(Encode) perl(LWP::UserAgent) perl(POSIX) perl(Socket) perl(Switch) perl(Time::Local) which aren't that fancy. ==> so it's more related to awstats code itself imo. note that it may be related to perl upgrade, if awstats didn't update its codebase to work with new perl semantics - but honestly, i doubt it given that most of the code should work just fine. Thank you Jerome for your analyse. After some search on awstat website, there are compatibility problem between awstat 7.0 and perl >= 5.14 awstat 7.1 pushed recently in cauldron solve the problem. Can it be possible to push it as update for Mageia 2 ? Guillaume, as you pushed the last update in cauldron, is it possible to consider to push it as Mageia 2 update ? I known this is a beta release, but as the current release is broken, I think this better to have a working beta release rather than a stable broken release. CC:
(none) =>
guillomovitch There are also multiple security flaws fixed in 7.1. Fedora/RedHat has fixes for all of these issues backported to 7.0. Patched package uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated awstats package fixes security vulnerabilities: Multiple unspecified security vulnerabilities in awstats before 7.1, including XSS flaws, sql injection, and header response splitting flaws in awredir.pl (CVE-2012-4547, rhbz#740926). Additionally, on Mageia 2, this fixes awstats usage with perl 5.14. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4547 http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068245.html http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072054.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093401.html ======================== Updated packages in core/updates_testing: ======================== awstats-7.0-1.1.mga1 awstats-7.0-1.1.mga2 from SRPMS: awstats-7.0-1.1.mga1.src.rpm awstats-7.0-1.1.mga2.src.rpm URL:
(none) =>
http://lwn.net/Vulnerabilities/527351/ Oops, wanted to add the upstream changelog to the References too: http://awstats.sourceforge.net/docs/awstats_changelog.txt
David Walser
2012-11-28 20:29:22 CET
Component:
RPM Packages =>
Security
David Walser
2012-11-28 20:29:34 CET
Assignee:
bugsquad =>
qa-bugs We don't appear to ship awredir.pl so I don't think we're vulnerable to this. It isn't required by awstats so doesn't seem to have been included http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?view=markup See line 123 onwards. Is an update necessary? Testing release version mga2 64 # /usr/share/awstats/www/awstats.pl -config=awstats.conf -update Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.0 (build 1.971) From data in log file "/var/log/httpd/access_log"... Phase 1 : First bypass old records, searching new record... Searching new records from beginning of log file... Phase 2 : Now process new records (Flush history on disk after 20000 hosts)... Jumped lines in file: 0 Parsed lines in file: 91 Found 0 dropped records, Found 0 comments, Found 0 blank records, Found 0 corrupted records, Found 0 old records, Found 91 new qualified records. So not able to reproduce the mga2 bug here either. # rpm -q awstats awstats-7.0-1.mga1 I didn't check with the attached conf/log though yet..
claire robinson
2012-11-29 18:08:19 CET
Whiteboard:
MGA1TOO =>
MGA1TOO feedback Indeed we don't ship awredir.pl, so the security bugs are non-issues. Component:
Security =>
RPM Packages
David Walser
2012-11-29 19:17:43 CET
URL:
http://lwn.net/Vulnerabilities/527351/ =>
(none) Thanks David, I guess we can also remove the awstats update for mga1 as this bug is against mga2, unless mga1 is also affected by it. Jerome or Yann are you aware whether mga1 is affected please? Hello Claire, only mga2 is affected by this bug. I'm just testing the new package : [root@localhost ~]# /usr/share/awstats/www/awstats.pl -config=awstats.conf -update Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.0 (build 1.971) From data in log file "/var/log/httpd/access_invisionboard.log"... Phase 1 : First bypass old records, searching new record... Searching new records from beginning of log file... Phase 2 : Now process new records (Flush history on disk after 20000 hosts)... Jumped lines in file: 0 Parsed lines in file: 444 Found 10 dropped records, Found 0 comments, Found 0 blank records, Found 0 corrupted records, Found 0 old records, Found 434 new qualified records. Now it works ! :) Thanks for the confirmation Yann. This package should be good to go. We could ask tmb to remove from mga1 updates_testing when he pushes it, of course it's gonna be cleared in a few days anyway... Advisory: ======================== This update fixes awstats usage with perl 5.14. References: http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072054.html ======================== Updated packages in core/updates_testing: ======================== awstats-7.0-1.1.mga2 from awstats-7.0-1.1.mga2.src.rpm Thanks Yann for testing. As Yann has confirmed the bug is fixed and already tested mga2 64, just basic testing mga2 32 it seems OK. Validating Advisory and srpm for mga2 in comment 17 Could sysadmin please push from core/updates_testing to core/updates Also, awstats was built for mga1 but it was not necessary, this can be removed (or left and deleted with the rest later). Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0233 Status:
NEW =>
RESOLVED |