Summary: | <www-misc/awstats-7.8: Two path traversal issues in awstat.pl (CVE-2017-1000501) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | hanno, moixa, web-apps | ||||
Priority: | High | Flags: | nattka:
sanity-check-
|
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=759544 | ||||||
Whiteboard: | B1 [glsa+ cve] | ||||||
Package list: |
=www-misc/awstats-7.8 amd64 ppc x86
|
Runtime testing required: | --- | ||||
Bug Depends on: | |||||||
Bug Blocks: | 656140 | ||||||
Attachments: |
|
Description
GLSAMaker/CVETool Bot
![]() *** Bug 642428 has been marked as a duplicate of this bug. *** (In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2017-1000501 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000501): > Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in > the handling of the "config" and "migrate" parameters resulting in > unauthenticated remote code execution. Patches: https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651 https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899 Both are included in 7.7. @maintainer(s): please bump soon. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22812026e7262e3f7fc4cd5243df30c023b97133 commit 22812026e7262e3f7fc4cd5243df30c023b97133 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-12 11:06:09 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-12 11:06:09 +0000 www-misc/awstats: Security bump to 7.8 release (CVE-2017-1000501). Bug: https://bugs.gentoo.org/646786 Fixes: https://bugs.gentoo.org/604548 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/Manifest | 1 + www-misc/awstats/awstats-7.8.ebuild | 111 ++++++++++++++++++++++++++++++++++++ 2 files changed, 112 insertions(+) @arch teams, please mark stable www-misc/awstats-7.8 Desired keywords are: KEYWORDS="~alpha amd64 hppa ppc ~sparc x86" The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03088da8cd72c72fb977622fb3a28028a2e7887c commit 03088da8cd72c72fb977622fb3a28028a2e7887c Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-12 11:12:23 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-12 11:12:23 +0000 www-misc/awstats: Drop old and vulnerable releases. Leave last stable release pending stabilization of the 7.8 release. Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/Manifest | 2 - www-misc/awstats/awstats-7.1_p20121017.ebuild | 110 ------------------------ www-misc/awstats/awstats-7.5.ebuild | 115 -------------------------- 3 files changed, 227 deletions(-) ~hppa is fine. Created attachment 638556 [details, diff] awstats-7.8-mime.patch awstats 7.8 is broken, this commit is not included in the release: https://github.com/eldy/awstats/commit/e5c32dd55ff7995933d84bd45076b09bba400986 awstats 7.7 works fine and fixes CVE-2017-1000501. Attaching the patch to go with 7.8. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=4b9fab2bfd33337f0de0dacafd3f861d9355c4b2 commit 4b9fab2bfd33337f0de0dacafd3f861d9355c4b2 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-13 09:43:08 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-13 09:43:08 +0000 www-misc/awstats: Fix mime.pm - thanks to Tobias Sager. Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/awstats-7.8-r1.ebuild | 112 ++++++++++++++++++++++++++ www-misc/awstats/files/awstats-7.8-mime.patch | 12 +++ 2 files changed, 124 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d4f49ad2dc855a31f482ba521c05f15a1753d61 commit 4d4f49ad2dc855a31f482ba521c05f15a1753d61 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-13 09:47:35 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-13 09:47:35 +0000 www-misc/awstats: Fix mime.pm - thanks to Tobias Sager. Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-misc/awstats/awstats-7.8-r1.ebuild | 112 ++++++++++++++++++++++++++ www-misc/awstats/files/awstats-7.8-mime.patch | 12 +++ 2 files changed, 124 insertions(+) ppc stable x86 stable @amd64: ping (In reply to Sam James from comment #13) > @amd64: ping ping amd64 stable. ---- Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f127f5c766759209adde243ec01d4d4d4d1cab16 commit f127f5c766759209adde243ec01d4d4d4d1cab16 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 20:58:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:47 +0000 www-misc/awstats: security cleanup Bug: https://bugs.gentoo.org/646786 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> www-misc/awstats/Manifest | 1 - www-misc/awstats/awstats-7.4.ebuild | 111 ------------------------------------ www-misc/awstats/awstats-7.8.ebuild | 111 ------------------------------------ 3 files changed, 223 deletions(-) Unable to check for sanity:
> no match for package: =www-misc/awstats-7.8
This issue was resolved and addressed in GLSA 202007-37 at https://security.gentoo.org/glsa/202007-37 by GLSA coordinator Sam James (sam_c). |