Nom du paquet
sarg
Date
2008-03-27
Advisory ID
MDVSA-2008:079
Affected versions
MNF2.0 i586 , 2007.0 x86_64 , 2007.1 i586 , 2007.0 i586 , 2008.0 x86_64 , 2008.0 i586 , 2007.1 x86_64

Problem description

A stack-based buffer overflow in sarg (Squid Analysis Report Generator)
allowed remote attackers to execute arbitrary code via a long Squid
proxy server User-Agent header (CVE-2008-1167).

A cross-site scripting vulnerability in sarg version 2.x prior to
2.2.5 allowed remote attackers to inject arbitrary web script or
HTML via the User-Agent heder, which is not properly handled when
displaying the Squid proxy log (CVE-2008-1168).

In addition, a number of other fixes have been made such as making
the getword() function more robust which should prevent any overflows,
other segfaults have been fixed, and the useragent report is now more
consistent with the other reports.

The updated packages have been patched to correct these issues.

Updated packages

MNF2.0 i586

 b64d9f675b66d14ee65541156d28b052  mnf/2.0/i586/sarg-2.2.5-0.1.M20mdk.i586.rpm 
 3d6ffd13a3be1adefcf4e34f06aba0f2  mnf/2.0/SRPMS/sarg-2.2.5-0.1.M20mdk.src.rpm

2007.0 x86_64

 c0653588b531b967a14060d798fbead5  2007.0/x86_64/sarg-2.2.5-0.2mdv2007.0.x86_64.rpm 
 f371cca6116e77d468cc2448411e519d  2007.0/SRPMS/sarg-2.2.5-0.2mdv2007.0.src.rpm

2007.1 i586

 df54b85b57812799134352f39b0d33da  2007.1/i586/sarg-2.2.5-0.2mdv2007.1.i586.rpm 
 13ab13a2899555be0a75424baa334374  2007.1/SRPMS/sarg-2.2.5-0.2mdv2007.1.src.rpm

2007.0 i586

 58e1392f51ac7b5a9448cf115ebdb873  2007.0/i586/sarg-2.2.5-0.2mdv2007.0.i586.rpm 
 f371cca6116e77d468cc2448411e519d  2007.0/SRPMS/sarg-2.2.5-0.2mdv2007.0.src.rpm

2008.0 x86_64

 cf17fe2e63bcd5afb2b274ae8164892b  2008.0/x86_64/sarg-2.2.5-0.2mdv2008.0.x86_64.rpm 
 695d91f0647d0097047e14abb09df4f5  2008.0/SRPMS/sarg-2.2.5-0.2mdv2008.0.src.rpm

2008.0 i586

 3cd060eaef73255b0252529ea80f4873  2008.0/i586/sarg-2.2.5-0.2mdv2008.0.i586.rpm 
 695d91f0647d0097047e14abb09df4f5  2008.0/SRPMS/sarg-2.2.5-0.2mdv2008.0.src.rpm

2007.1 x86_64

 784c6b0bb36ca30853d0c1ccbb26cb8f  2007.1/x86_64/sarg-2.2.5-0.2mdv2007.1.x86_64.rpm 
 13ab13a2899555be0a75424baa334374  2007.1/SRPMS/sarg-2.2.5-0.2mdv2007.1.src.rpm

References