diff -Nru loganalyzer-3.6.5+dfsg/ChangeLog loganalyzer-3.6.6+dfsg/ChangeLog --- loganalyzer-3.6.5+dfsg/ChangeLog 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/ChangeLog 2014-09-02 09:09:55.000000000 +0000 @@ -1,4 +1,13 @@ --------------------------------------------------------------------------- +Version 3.6.6 (stable), 2014-09-02 +- Fixed bug in databasemapping admin. The form parameter and database + fieldname of EventID field were interfering. +- Fixed a bug in maintenance.php, the ID parameter was forced to + an integer. A leftover from earlier loganalyzer days. +- Fixed Cross Site Scripting Issue in index.php/detail.php for + stringtype fields discovered by Dolev Farhi dolevf@yahoo.com + from F5 Networks. +--------------------------------------------------------------------------- Version 3.6.5 (stable), 2013-10-08 - LogStreamDB Driver, LogStreamPDO Driver, UserDB: Added backticks arround tablenames in all SQL Statements. diff -Nru loganalyzer-3.6.5+dfsg/debian/changelog loganalyzer-3.6.6+dfsg/debian/changelog --- loganalyzer-3.6.5+dfsg/debian/changelog 2014-03-15 07:37:59.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/debian/changelog 2014-09-09 17:57:23.000000000 +0000 @@ -1,3 +1,16 @@ +loganalyzer (3.6.6+dfsg-2) unstable; urgency=high + + * Correctly detect existing Apache conf (Closes: #760944) + + -- Daniel Pocock Tue, 09 Sep 2014 19:56:41 +0200 + +loganalyzer (3.6.6+dfsg-1) unstable; urgency=high + + * New upstream release. + * Fix cross-site-scripting CVE-2014-6070 (Closes: #760372) + + -- Daniel Pocock Sun, 07 Sep 2014 08:32:12 +0200 + loganalyzer (3.6.5+dfsg-7) unstable; urgency=medium * Improve check for dangling symlink to removed conf file diff -Nru loganalyzer-3.6.5+dfsg/debian/control loganalyzer-3.6.6+dfsg/debian/control --- loganalyzer-3.6.5+dfsg/debian/control 2014-03-10 08:24:29.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/debian/control 2014-09-07 06:39:48.000000000 +0000 @@ -2,12 +2,12 @@ Section: net Priority: optional Maintainer: Debian Monitoring Maintainers -Uploaders: Daniel Pocock +Uploaders: Daniel Pocock Homepage: http://loganalyzer.adiscon.com/ Build-Depends: debhelper (>= 9.0.0), po-debconf Standards-Version: 3.9.5 -Vcs-Git: git://git.debian.org/pkg-monitoring/loganalyzer.git -Vcs-Browser: http://git.debian.org/?p=pkg-monitoring/loganalyzer.git;a=summary +Vcs-Git: git://anonscm.debian.org/pkg-monitoring/loganalyzer.git +Vcs-Browser: http://anonscm.debian.org/cgit/pkg-monitoring/loganalyzer.git Package: loganalyzer Architecture: all diff -Nru loganalyzer-3.6.5+dfsg/debian/postinst loganalyzer-3.6.6+dfsg/debian/postinst --- loganalyzer-3.6.5+dfsg/debian/postinst 2014-03-13 08:17:00.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/debian/postinst 2014-09-09 17:53:54.000000000 +0000 @@ -48,7 +48,7 @@ then ln -s /etc/${pkgname}/apache.conf ${HTTPD_CONF_OLD}/${pkgname} fi - if [ -d ${HTTPD_CONF_NEW} -a ! -f ${HTTPD_CONF_NEW}/${pkgname} -a ! -h ${HTTPD_CONF_NEW}/${pkgname} ]; + if [ -d ${HTTPD_CONF_NEW} -a ! -f ${HTTPD_CONF_NEW}/${pkgname}.conf -a ! -h ${HTTPD_CONF_NEW}/${pkgname}.conf ]; then ln -s /etc/${pkgname}/apache.conf ${HTTPD_CONF_NEW}/${pkgname}.conf if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then diff -Nru loganalyzer-3.6.5+dfsg/doc/troubleshoot.html loganalyzer-3.6.6+dfsg/doc/troubleshoot.html --- loganalyzer-3.6.5+dfsg/doc/troubleshoot.html 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/doc/troubleshoot.html 2014-09-02 09:09:55.000000000 +0000 @@ -7,7 +7,7 @@ if you need to ask for assistance. This page is continously being expanded.

Useful troublehshooting ressources are:

The LogAnalyzer documentation - note that the online version always covers +
The LogAnalyzer documentation - note that the online version always covers the most recent development version. However, there is a version-specific doc set in each tarball. If you installed LogAnalyzer from a package, there usually is a LogAnalyzer-doc package, that often needs to be installed separately. If running the default diff -Nru loganalyzer-3.6.5+dfsg/src/admin/dbmappings.php loganalyzer-3.6.6+dfsg/src/admin/dbmappings.php --- loganalyzer-3.6.5+dfsg/src/admin/dbmappings.php 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/src/admin/dbmappings.php 2014-09-02 09:09:55.000000000 +0000 @@ -86,10 +86,10 @@ $content['DBMP'] = $dbmapping; // View must be loaded as well already! - if ( isset($_GET['id']) && isset($content['DBMP'][$_GET['id']]) ) + if ( isset($_GET['dbmpid']) && isset($content['DBMP'][$_GET['dbmpid']]) ) { //PreInit these values - $content['DBMPID'] = DB_RemoveBadChars($_GET['id']); + $content['DBMPID'] = DB_RemoveBadChars($_GET['dbmpid']); if ( isset($content['DBMP'][ $content['DBMPID'] ]) ) { //Set the FormAdd URL @@ -110,15 +110,15 @@ { $content['ISEDITORNEWDBMP'] = false; $content['ISERROR'] = true; - $content['ERROR_MSG'] = GetAndReplaceLangStr( $content['LN_DBMP_ERROR_INVALIDID'], isset($_GET['id']) ? $_GET['id'] : "
" ); + $content['ERROR_MSG'] = GetAndReplaceLangStr( $content['LN_DBMP_ERROR_INVALIDID'], isset($_GET['dbmpid']) ? $_GET['dbmpid'] : "
" ); } } else if ($_GET['op'] == "delete") { - if ( isset($_GET['id']) ) + if ( isset($_GET['dbmpid']) ) { //PreInit these values - $content['DBMPID'] = DB_RemoveBadChars($_GET['id']); + $content['DBMPID'] = DB_RemoveBadChars($_GET['dbmpid']); // Get UserInfo $result = DB_Query("SELECT DisplayName FROM " . DB_MAPPINGS . " WHERE ID = " . $content['DBMPID'] ); @@ -249,7 +249,7 @@ // --- Process POST Form Data if ( isset($_POST['op']) ) { - if ( isset ($_POST['id']) ) { $content['DBMPID'] = DB_RemoveBadChars($_POST['id']); } else {$content['DBMPID'] = ""; } + if ( isset ($_POST['dbmpid']) ) { $content['DBMPID'] = DB_RemoveBadChars($_POST['dbmpid']); } else {$content['DBMPID'] = ""; } if ( isset ($_POST['DisplayName']) ) { $content['DisplayName'] = DB_StripSlahes($_POST['DisplayName']); } else {$content['DisplayName'] = ""; } // --- Check mandotary values diff -Nru loganalyzer-3.6.5+dfsg/src/cron/maintenance.php loganalyzer-3.6.6+dfsg/src/cron/maintenance.php --- loganalyzer-3.6.5+dfsg/src/cron/maintenance.php 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/src/cron/maintenance.php 2014-09-02 09:09:55.000000000 +0000 @@ -179,7 +179,7 @@ if ( isset($_SERVER["argv"][2]) ) { // Set to SourceID property! - $content['SOURCEID'] = intval( $_SERVER["argv"][2] ); + $content['SOURCEID'] = $_SERVER["argv"][2]; // Check if exists if ( !isset($content['Sources'][ $content['SOURCEID'] ]) ) diff -Nru loganalyzer-3.6.5+dfsg/src/details.php loganalyzer-3.6.6+dfsg/src/details.php --- loganalyzer-3.6.5+dfsg/src/details.php 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/src/details.php 2014-09-02 09:09:55.000000000 +0000 @@ -286,7 +286,7 @@ if ( $mycolkey == SYSLOG_MESSAGE ) $content['fields'][$mycolkey]['fieldvalue'] = ReplaceLineBreaksInString( GetStringWithHTMLCodes($logArray[$mycolkey]) ); else // kindly copy! - $content['fields'][$mycolkey]['fieldvalue'] = ReplaceLineBreaksInString( $logArray[$mycolkey] ); + $content['fields'][$mycolkey]['fieldvalue'] = ReplaceLineBreaksInString( GetStringWithHTMLCodes($logArray[$mycolkey]) ); // --- HOOK here to add context links! AddContextLinks($content['fields'][$mycolkey]['fieldvalue']); diff -Nru loganalyzer-3.6.5+dfsg/src/doc/troubleshoot.html loganalyzer-3.6.6+dfsg/src/doc/troubleshoot.html --- loganalyzer-3.6.5+dfsg/src/doc/troubleshoot.html 2013-10-09 06:57:58.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/src/doc/troubleshoot.html 2014-09-02 09:19:05.000000000 +0000 @@ -7,7 +7,7 @@ if you need to ask for assistance. This page is continously being expanded.
Useful troublehshooting ressources are:
- The LogAnalyzer documentation - note that the online version always covers +
- The LogAnalyzer documentation - note that the online version always covers the most recent development version. However, there is a version-specific doc set in each tarball. If you installed LogAnalyzer from a package, there usually is a LogAnalyzer-doc package, that often needs to be installed separately. If running the default diff -Nru loganalyzer-3.6.5+dfsg/src/include/functions_common.php loganalyzer-3.6.6+dfsg/src/include/functions_common.php --- loganalyzer-3.6.5+dfsg/src/include/functions_common.php 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/src/include/functions_common.php 2014-09-02 09:09:55.000000000 +0000 @@ -66,7 +66,7 @@ $LANG = "en"; // Default language // Default Template vars -$content['BUILDNUMBER'] = "3.6.5"; +$content['BUILDNUMBER'] = "3.6.6"; $content['UPDATEURL'] = "http://loganalyzer.adiscon.com/files/version.txt"; $content['TITLE'] = "Adiscon LogAnalyzer :: Release " . $content['BUILDNUMBER']; // Default page title $content['BASEPATH'] = $gl_root_path; diff -Nru loganalyzer-3.6.5+dfsg/src/index.php loganalyzer-3.6.6+dfsg/src/index.php --- loganalyzer-3.6.5+dfsg/src/index.php 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/src/index.php 2014-09-02 09:09:55.000000000 +0000 @@ -573,7 +573,7 @@ // --- } else // Just set field value - $content['syslogmessages'][$counter]['values'][$mycolkey]['messagesdetails'][$myIndex]['detailfieldvalue'] = isset($myfield['rawfieldvalue']) ? $myfield['rawfieldvalue'] : $myfield['fieldvalue']; + $content['syslogmessages'][$counter]['values'][$mycolkey]['messagesdetails'][$myIndex]['detailfieldvalue'] = isset($myfield['rawfieldvalue']) ? GetStringWithHTMLCodes($myfield['rawfieldvalue']) : GetStringWithHTMLCodes($myfield['fieldvalue']); } } diff -Nru loganalyzer-3.6.5+dfsg/src/templates/admin/admin_dbmappings.html loganalyzer-3.6.6+dfsg/src/templates/admin/admin_dbmappings.html --- loganalyzer-3.6.5+dfsg/src/templates/admin/admin_dbmappings.html 2013-10-09 06:54:25.000000000 +0000 +++ loganalyzer-3.6.6+dfsg/src/templates/admin/admin_dbmappings.html 2014-09-02 09:09:55.000000000 +0000 @@ -34,7 +34,7 @@ {ID} - {DisplayName} + {DisplayName} {DisplayName} @@ -45,8 +45,8 @@ - ${LN_DBMP_EDIT}$ - ${LN_DBMP_DELETE}$ + ${LN_DBMP_EDIT}$ + ${LN_DBMP_DELETE}$ ${LN_GEN_DISABLED}$ @@ -116,7 +116,7 @@
  - +