Bug#977190: awstats: CVE-2020-35176

To: 977190@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Bug#977190: awstats: CVE-2020-35176
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 22 Jan 2021 20:39:54 +0100
Message-id: <[🔎] YAsqCoSRwdEJ+p1N@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 977190@bugs.debian.org
In-reply-to: <160776470137.349344.15843878972966889053.reportbug@eldamar.lan>
References: <160776470137.349344.15843878972966889053.reportbug@eldamar.lan> <160776470137.349344.15843878972966889053.reportbug@eldamar.lan>

Control: severity -1 serious

On Sat, Dec 12, 2020 at 10:18:21AM +0100, Salvatore Bonaccorso wrote:
> Source: awstats
> Version: 7.8-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/eldy/awstats/issues/195
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for awstats, which is a
> followup to CVE-2020-29600 (incomplete fix for it, and previously
> CVE-2017-1000501, cf. #891469).
> 
> CVE-2020-35176[0]:
> | In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial
> | absolute pathname (omitting the initial /etc), even though it was
> | intended to only read a file in the /etc/awstats/awstats.conf format.
> | NOTE: this issue exists because of an incomplete fix for
> | CVE-2017-1000501 and CVE-2020-29600.

I'm raising the severity of this issue to RC. Rationale behind this:
The package is currently basically QA maintained but has open security
issues. That assures we have it either not in bullseye or with the
issues fixed in bullseye.

Regards,
Salvatore

Reply to:

Prev by Date: Processed: Re: Bug#977190: awstats: CVE-2020-35176
Next by Date: Processed: tagging 980801, tagging 980793, tagging 892326, tagging 980515, tagging 980634
Previous by thread: cyclades-serial-client_0.94_source.changes ACCEPTED into unstable
Next by thread: Processed: Re: Bug#977190: awstats: CVE-2020-35176
Index(es):
- Date
- Thread