CVE-2017-1000501 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000501): Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
*** Bug 642428 has been marked as a duplicate of this bug. ***
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2017-1000501 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000501): > Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in > the handling of the "config" and "migrate" parameters resulting in > unauthenticated remote code execution. Patches: https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651 https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899 Both are included in 7.7.
@maintainer(s): please bump soon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22812026e7262e3f7fc4cd5243df30c023b97133 commit 22812026e7262e3f7fc4cd5243df30c023b97133 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-12 11:06:09 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-12 11:06:09 +0000 www-misc/awstats: Security bump to 7.8 release (CVE-2017-1000501). Bug: https://bugs.gentoo.org/646786 Fixes: https://bugs.gentoo.org/604548 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/Manifest | 1 + www-misc/awstats/awstats-7.8.ebuild | 111 ++++++++++++++++++++++++++++++++++++ 2 files changed, 112 insertions(+)
@arch teams, please mark stable www-misc/awstats-7.8 Desired keywords are: KEYWORDS="~alpha amd64 hppa ppc ~sparc x86"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03088da8cd72c72fb977622fb3a28028a2e7887c commit 03088da8cd72c72fb977622fb3a28028a2e7887c Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-12 11:12:23 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-12 11:12:23 +0000 www-misc/awstats: Drop old and vulnerable releases. Leave last stable release pending stabilization of the 7.8 release. Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/Manifest | 2 - www-misc/awstats/awstats-7.1_p20121017.ebuild | 110 ------------------------ www-misc/awstats/awstats-7.5.ebuild | 115 -------------------------- 3 files changed, 227 deletions(-)
~hppa is fine.
Created attachment 638556 [details, diff] awstats-7.8-mime.patch awstats 7.8 is broken, this commit is not included in the release: https://github.com/eldy/awstats/commit/e5c32dd55ff7995933d84bd45076b09bba400986 awstats 7.7 works fine and fixes CVE-2017-1000501. Attaching the patch to go with 7.8.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=4b9fab2bfd33337f0de0dacafd3f861d9355c4b2 commit 4b9fab2bfd33337f0de0dacafd3f861d9355c4b2 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-13 09:43:08 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-13 09:43:08 +0000 www-misc/awstats: Fix mime.pm - thanks to Tobias Sager. Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/awstats-7.8-r1.ebuild | 112 ++++++++++++++++++++++++++ www-misc/awstats/files/awstats-7.8-mime.patch | 12 +++ 2 files changed, 124 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d4f49ad2dc855a31f482ba521c05f15a1753d61 commit 4d4f49ad2dc855a31f482ba521c05f15a1753d61 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-13 09:47:35 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-13 09:47:35 +0000 www-misc/awstats: Fix mime.pm - thanks to Tobias Sager. Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/awstats-7.8-r1.ebuild | 112 ++++++++++++++++++++++++++ www-misc/awstats/files/awstats-7.8-mime.patch | 12 +++ 2 files changed, 124 insertions(+)
ppc stable
x86 stable
@amd64: ping
(In reply to Sam James from comment #13) > @amd64: ping ping
amd64 stable. ---- Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f127f5c766759209adde243ec01d4d4d4d1cab16 commit f127f5c766759209adde243ec01d4d4d4d1cab16 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 20:58:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:47 +0000 www-misc/awstats: security cleanup Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> www-misc/awstats/Manifest | 1 - www-misc/awstats/awstats-7.4.ebuild | 111 ------------------------------------ www-misc/awstats/awstats-7.8.ebuild | 111 ------------------------------------ 3 files changed, 223 deletions(-)
Unable to check for sanity: > no match for package: =www-misc/awstats-7.8
This issue was resolved and addressed in GLSA 202007-37 at https://security.gentoo.org/glsa/202007-37 by GLSA coordinator Sam James (sam_c).
