From owner-freebsd-ports  Tue Nov 20 21:40:43 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from net2.dinoex.sub.org (net2.dinoex.de [212.184.201.182])
	by hub.freebsd.org (Postfix) with ESMTP id B1E0B37B405
	for <ports@freebsd.org>; Tue, 20 Nov 2001 21:40:31 -0800 (PST)
Received: from gate.dinoex.sub.org (dinoex@localhost)
	by net2.dinoex.sub.org (8.11.6/8.11.6) with BSMTP id fAL5e5n15728
	for <ports@freebsd.org>; Wed, 21 Nov 2001 06:40:05 +0100 (CET)
	(envelope-from dirk.meyer@dinoex.sub.org)
X-MDaemon-Deliver-To: <ports@freebsd.org>
To: ports@freebsd.org
Message-ID: </7DVo2ecLr@dmeyer.dinoex.sub.org>
From: dirk.meyer@dinoex.sub.org (Dirk Meyer)
Organization: privat
Subject: Vulnerability in webalizer prior 2.1.9
Date: Wed, 21 Nov 2001 06:34:49 +0100
X-Mailer: Dinoex 1.77
X-Gateway: ZCONNECT gate.dinoex.sub.org [UNIX/Connect 0.93]
X-PGP-Fingerprint: 44 16 EC 0A D3 3A 4F 28  8A 8A 47 93 F1 CF
	2F 12
X-ZC-TELEFON: V+49-5606-6512Q F+49-5606-55023
X-Copyright: (C) Copyright 2001 by Dirk Meyer -- All rights reserved.
X-ZC-POST: Im Grund 4;34317 Habichtswald;Germany
X-PGP-Key-Avail: mailto:pgp-public-keys@keys.de.pgp.net Subject:GET
	0x331CDA5D
X-ZC-VIA: 20011121000000W+1@dinoex.sub.org
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org


Warning:

  There is a cross-site scripting vulnerability in webalizer which can
  allow an attacker to exploit a victim by embedding malicious HTML tags
  in webalizer-generated reports.


  This update fixes the aforementioned cross-site scripting
  vulnerability reported by Magnux Software.  This updated version also
  fixes a date calculation overflow error and enables DNS resolution
  provided it is enabled in the webalizer configuration file.

vulnerable versions:
	All version 2.x up to 2.1.6_4

2001/10/25 updated in the ports tree.
2001/11/03 email to security-officer@FreeBSD.org 

Packages need to build/fetched:
	webalizer-2.1.9
	de-webalizer-2.1.9
	uk-webalizer-2.1.9

kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany

links:
http://www.securityfocus.com/archive/1/222556
http://www.securityfocus.com/advisories/3628
http://www.securityfocus.com/archive/1/223798
http://www.securityfocus.com/advisories/3634
http://www.securityfocus.com/archive/1/224274
http://www.securityfocus.com/advisories/3643
http://www.securityfocus.com/bid/3473
http://www.securityfocus.com/archive/1/225254

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message