Bug#977190: awstats: CVE-2020-35176

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#977190: awstats: CVE-2020-35176
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 12 Dec 2020 10:18:21 +0100
Message-id: <[🔎] 160776470137.349344.15843878972966889053.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 977190@bugs.debian.org

Source: awstats
Version: 7.8-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/eldy/awstats/issues/195
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for awstats, which is a
followup to CVE-2020-29600 (incomplete fix for it, and previously
CVE-2017-1000501, cf. #891469).

CVE-2020-35176[0]:
| In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial
| absolute pathname (omitting the initial /etc), even though it was
| intended to only read a file in the /etc/awstats/awstats.conf format.
| NOTE: this issue exists because of an incomplete fix for
| CVE-2017-1000501 and CVE-2020-29600.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35176
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35176
[1] https://github.com/eldy/awstats/issues/195

Regards,
Salvatore

Reply to:

Prev by Date: Processed: found 891469 in 7.2+dfsg-1+deb8u1, found 891469 in 7.6+dfsg-1+deb9u1
Next by Date: Bug#977191: cvsps: Wrong homepage + new version
Previous by thread: Processed: found 891469 in 7.2+dfsg-1+deb8u1, found 891469 in 7.6+dfsg-1+deb9u1
Next by thread: Bug#977191: cvsps: Wrong homepage + new version
Index(es):
- Date
- Thread