Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory.
Maintainers, which version of awstats should we target for stabilization?
Also, please file a security bug and request a fast-track stabilization when you know about security issues. I'm sorry if you have done that and I missed it.
*awstats-7.0 (08 Sep 2010)
08 Sep 2010; Diego E. Pettenò <email@example.com>
files/awstats-6.3-gentoo.diff, +awstats-7.0.ebuild, metadata.xml:
Version bump to latest beta that seem to fix some security concerns. Take
co-maintainership of package.
I'm pretty sure that Security already dissed this as I opened it before, but at least there wasn't a CVE at the time. *Shrug* I'm fine with going with the latest (non-webapp-config based) version stable.
Thank you. Arches, please stabilize =www-misc/awstats-7.0_p20101205-r3
amd64 done. Thanks Agostino
Stable for HPPA.
Did somethings change with this release? Because when I do an webapp-config -U -h my.vhost.com -d awstats awstats 7.0_p20101205-r3 it removes my /var/www/my.vhost.com/cgi-bin and the files under /var/www/my.vhost.com/htdocs/awstats ?
Thank you. This will need a GLSA vote.
Please remove vulnerable versions from the tree.
Thanks, folks. GLSA Vote: no.
(In reply to comment #9)
> Did somethings change with this release? Because when I do an webapp-config -U
> -h my.vhost.com -d awstats awstats 7.0_p20101205-r3 it removes my
> /var/www/my.vhost.com/cgi-bin and the files under
> /var/www/my.vhost.com/htdocs/awstats ?
I can confirm this!
Also my /usr/share/webapps does not list awstats. I thought all webapps where installed there.
In the meanwhile I found a comment about the plans in the changelog of the ebuild, however it would be good if this changed route could be mentioned on the homepage or in a sticky thread on the forums, since no information is very confusing.
Okay, listen up: this is a _stable request_ for _security_ and not a support forum. The changes in the awstats install are both in the ChangeLog of the ebuild (they are no _plans_, they are _facts_) and in the post-install message that *you just forgot to read*:
ewarn "This ebuild does no longer use webapp-config to install"
ewarn "instead you should point your configuration to the stable"
ewarn "directory tree in the following path:"
ewarn " /usr/share/awstats"
Homepage? For a minor, noted change in ebuild installation? Please.
you are correct, that a) it may be the wrong place (I tried the forums first, but no one answered or did know what is going on...therefore it doesn't seem to be so clear after all) and b) there is a notification, which I didn't recognize the first time, because some text is coming before and the yellow stars (which make the difference) I simply didn't recognize at that time.
However I think it is worth to mention it either on the forums, in a blog, a wiki entry or whatever. Maybe it is just a minor change to you, but if you use webapp-config to upgrade your installation just stops working and you ask yourself why. Since there all old documentation was pointing to the webapp-config method (mini howto on the forum, entries in the gentoo wiki, ...) I think it is not so clear to people what has changed and even worse how to handle that change (maybe a link to the docs would help in that case).
Just my two cents...but this is the stabilization bug and so you are right...this doesnt belong in here.
Directory traversal vulnerability in AWStats before 7.0 allows remote
attackers to have an unspecified impact via a crafted LoadPlugin directory.
GLSA vote: NO
Vote: NO. Closing noglsa.