Bug#977190: marked as done (awstats: CVE-2020-35176)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 02 Feb 2021 13:03:25 +0000
with message-id <E1l6vL3-000HJs-CU@fasolo.debian.org>
and subject line Bug#977190: fixed in awstats 7.8-2
has caused the Debian Bug report #977190,
regarding awstats: CVE-2020-35176
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
977190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977190
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: awstats: CVE-2020-35176
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 12 Dec 2020 10:18:21 +0100
• Message-id: <160776470137.349344.15843878972966889053.reportbug@eldamar.lan>

Source: awstats
Version: 7.8-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/eldy/awstats/issues/195
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for awstats, which is a
followup to CVE-2020-29600 (incomplete fix for it, and previously
CVE-2017-1000501, cf. #891469).

CVE-2020-35176[0]:
| In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial
| absolute pathname (omitting the initial /etc), even though it was
| intended to only read a file in the /etc/awstats/awstats.conf format.
| NOTE: this issue exists because of an incomplete fix for
| CVE-2017-1000501 and CVE-2020-29600.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35176
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35176
[1] https://github.com/eldy/awstats/issues/195

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 977190-close@bugs.debian.org
• Subject: Bug#977190: fixed in awstats 7.8-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 02 Feb 2021 13:03:25 +0000
• Message-id: <E1l6vL3-000HJs-CU@fasolo.debian.org>
• Reply-to: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

Source: awstats
Source-Version: 7.8-2
Done: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 977190@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Håvard Flaget Aasen <haavard_aasen@yahoo.no> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Feb 2021 08:56:57 +0100
Source: awstats
Architecture: source
Version: 7.8-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
Closes: 977190
Changes:
 awstats (7.8-2) unstable; urgency=high
 .
   * QA upload.
   * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config=
     accepts a partial absolute pathname (omitting the initial /etc), even
     though it was intended to only read a file in the
     /etc/awstats/awstats.conf format. NOTE: this issue exists because of
     an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
     Closes: #977190
Checksums-Sha1:
 c9c00e05a8cbf5bfbdf42700e71dfcd61d72e228 1834 awstats_7.8-2.dsc
 1da0b7b76f3c10d8c8d7098a32b7bbdc2372aa93 37172 awstats_7.8-2.debian.tar.xz
 f42d2c53d554c7364707ec1e4bc945adc09d3611 7850 awstats_7.8-2_source.buildinfo
Checksums-Sha256:
 1507cb576d9c5c84beefc1d90d593c91ad68e793dcb2246cba2872f385901da6 1834 awstats_7.8-2.dsc
 326eaeb02e3203ab5b7394b020ec01c12508ed7cbd5fd57af7c64966387d522d 37172 awstats_7.8-2.debian.tar.xz
 d90b8f2c44fac6470430ae85060165af7b2203615310b2276202fc11cb8fd5df 7850 awstats_7.8-2_source.buildinfo
Files:
 8393c5f90563c76aa90809fe49e88f3d 1834 web optional awstats_7.8-2.dsc
 55b3d37846b3375df720b0c24931413b 37172 web optional awstats_7.8-2.debian.tar.xz
 237aa0355407126c431f429fa6714bda 7850 web optional awstats_7.8-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmAZSGQACgkQweDZLphv
fH5rfQ//WxHOW4gK5yzfhNGNuPsMm+Ns3NIjUYoiPKQykTsUqHw/Y8gdmwQ1oaYE
oFAZO8JXEaRtNHEgZ8Yx1re7AxbN4C9IjP0O/hXAHx++ZSO1nK2dV8b/13/Sc0py
lzL/muIq3bNdGZcqAGY4SP+IAvtqTYje0rP8xh9BNn9Vsa/vJZsBND3Ku/ohhf5U
rKk0MEAiqU0YHkxY8NFNV15HZnFdquimWw8Uyk6ACilHg/8nFjtnR+3Ehp+mWRpj
7oA/FwNpdHak2JrWGyXpST7/Rsg7dNnqrIJ3EYHqrdqqJ38FgBBCrl0JHr9p4IwP
4WQ+eQ5zpVE9/TasA0UQynXG+49qiTFyWMct+3L0u8bw6UIAgrGqWhzh13CO7MHx
aINwMBfYVhalSpQRpGx8F9Pb5v/6ar+S/BjzhOTCQWkfVYG1J1kKQbEJiX42YaVz
fgc5SWoiioYCUYq+VIKLs3cNNFEOMIHQhYiMlyTPDgpnIy+oyXcc1KF7S+shKync
5gfpK2+SaZFOE+fuJd7elLFEAd6JcrmwC7qphYxQeLuMhMCqkko0R4TcwkyJcSJt
OVN/LDYaGUmZFh4Tw1/7aNs+J20zpiIFcQtk6yA2a2cky06bU+aCBFFEv5DTMKUh
VuKePxPFyjxW8nr79EF+2d9A/WuAxf1ewGifWaor/x5fOqBupro=
=i/Mh
-----END PGP SIGNATURE-----

--- End Message ---