Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 352600 (CVE-2010-4369) - <www-misc/awstats-7.0_p20101205-r3: directory traversal (CVE-2010-4369)
Summary: <www-misc/awstats-7.0_p20101205-r3: directory traversal (CVE-2010-4369)
Status: RESOLVED FIXED
Alias: CVE-2010-4369
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-24 15:04 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-11-11 12:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-24 15:04:44 UTC
Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory.

http://awstats.sourceforge.net/docs/awstats_changelog.txt
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-24 15:08:10 UTC
Maintainers, which version of awstats should we target for stabilization?

Also, please file a security bug and request a fast-track stabilization when you know about security issues. I'm sorry if you have done that and I missed it.

*awstats-7.0 (08 Sep 2010)

  08 Sep 2010; Diego E. Pettenò <flameeyes@gentoo.org>
  files/awstats-6.3-gentoo.diff, +awstats-7.0.ebuild, metadata.xml:
  Version bump to latest beta that seem to fix some security concerns. Take
  co-maintainership of package.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-01-24 15:23:30 UTC
I'm pretty sure that Security already dissed this as I opened it before, but at least there wasn't a CVE at the time. *Shrug* I'm fine with going with the latest (non-webapp-config based) version stable.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-24 15:54:43 UTC
Thank you. Arches, please stabilize =www-misc/awstats-7.0_p20101205-r3
Comment 4 Agostino Sarubbo gentoo-dev 2011-01-24 18:15:54 UTC
amd64 ok
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-01-25 09:32:18 UTC
amd64 done. Thanks Agostino
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-25 12:25:43 UTC
stable x86
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-25 16:23:58 UTC
Stable for HPPA.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-26 08:17:02 UTC
ppc stable
Comment 9 Flo 2011-01-27 16:53:01 UTC
Did somethings change with this release? Because when I do an webapp-config -U -h my.vhost.com -d awstats awstats 7.0_p20101205-r3 it removes my /var/www/my.vhost.com/cgi-bin and the files under /var/www/my.vhost.com/htdocs/awstats ?
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-01-30 18:54:53 UTC
alpha done
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-30 20:31:06 UTC
Thank you. This will need a GLSA vote.

Please remove vulnerable versions from the tree.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-01-31 02:18:27 UTC
Thanks, folks. GLSA Vote: no.
Comment 13 Bas van Dijk 2011-02-02 20:12:58 UTC
(In reply to comment #9)
> Did somethings change with this release? Because when I do an webapp-config -U
> -h my.vhost.com -d awstats awstats 7.0_p20101205-r3 it removes my
> /var/www/my.vhost.com/cgi-bin and the files under
> /var/www/my.vhost.com/htdocs/awstats ?
> 

I can confirm this!

Also my /usr/share/webapps does not list awstats. I thought all webapps where installed there.
Comment 14 Flo 2011-02-02 21:16:17 UTC
In the meanwhile I found a comment about the plans in the changelog of the ebuild, however it would be good if this changed route could be mentioned on the homepage or in a sticky thread on the forums, since no information is very confusing.
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-02-02 23:46:21 UTC
Okay, listen up: this is a _stable request_ for _security_ and not a support forum. The changes in the awstats install are both in the ChangeLog of the ebuild (they are no _plans_, they are _facts_) and in the post-install message that *you just forgot to read*:

        ewarn "This ebuild does no longer use webapp-config to install"
        ewarn "instead you should point your configuration to the stable"
        ewarn "directory tree in the following path:"
        ewarn "    /usr/share/awstats"

Homepage? For a minor, noted change in ebuild installation? Please.
Comment 16 Flo 2011-02-03 11:42:36 UTC
Hi,

you are correct, that a) it may be the wrong place (I tried the forums first, but no one answered or did know what is going on...therefore it doesn't seem to be so clear after all) and b) there is a notification, which I didn't recognize the first time, because some text is coming before and the yellow stars (which make the difference) I simply didn't recognize at that time.

However I think it is worth to mention it either on the forums, in a blog, a wiki entry or whatever. Maybe it is just a minor change to you, but if you use webapp-config to upgrade your installation just stops working and you ask yourself why. Since there all old documentation was pointing to the webapp-config method (mini howto on the forum, entries in the gentoo wiki, ...) I think it is not so clear to people what has changed and even worse how to handle that change (maybe a link to the docs would help in that case).

Just my two cents...but this is the stabilization bug and so you are right...this doesnt belong in here.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:37:12 UTC
CVE-2010-4369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4369):
  Directory traversal vulnerability in AWStats before 7.0 allows remote
  attackers to have an unspecified impact via a crafted LoadPlugin directory.
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 22:51:47 UTC
GLSA vote: NO
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:54:41 UTC
Vote: NO. Closing noglsa.