Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4545
awstats security update
24 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: awstats
Publisher: Debian
Operating System: Debian GNU/Linux
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-35176 CVE-2020-29600
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2506
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running awstats check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2506-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
December 23, 2020 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : awstats
Version : 7.6+dfsg-1+deb9u2
CVE ID : CVE-2020-29600 CVE-2020-35176
Debian Bug : 891469 977190
It was discovered that Awstats, a web server log analyzer, was
vulnerable to path traversal attacks. A remote unauthenticated
attacker could leverage that to perform arbitrary code execution. The
previous fix did not fully address the issue when the default
/etc/awstats/awstats.conf is not present.
For Debian 9 stretch, this problem has been fixed in version
7.6+dfsg-1+deb9u2.
We recommend that you upgrade your awstats packages.
For the detailed security status of awstats please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/awstats
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/jXPMACgkQj/HLbo2J
BZ8ffQf/S9j+l7tp4Fr1YLM5ay6+KnE4R990cqE4SeoWdlPFRE+LWsvEB99wjCcq
Vu96Iirug69cgguN/nIxl+TiD4mp3Udv7uqFshyGl1N2vDV1c4/0U3B7rvYseboe
TefuqBTNtzQGDZWDnddZx/1mM1INifNw06ZFjx2SNolgXvtsbt1vBaj/9lFVfYor
DX3BatpUVe/+V9Idm4bOsObvyWFJzars2UeGaTrzVAI7JGP8RlrETGBh99CnPfmX
zot9Tm45o+wuQUHIJ/uETVxoggjJ6pu1pmvYNQTVyLY/gYL2s0qZ0Xc8yFZ5t+nb
fYf/Qdgv0MRnnS09PcUf9t9AXU7hUw==
=lkgC
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX+PAneNLKJtyKPYoAQiatQ//VMtJo08/ydtvUGz7df6Xu+HnCgv0QkKG
7WpYCAo/Ez0JFHOXke6TlUW8yZw2/cQR5GZs5twgCCFUFzGq8oIbgDwVy/OrdAK7
0Arp9mRMCnt/4c47ydhLwqcE3ukGcy9snpwwKrllMS1tiAR6jTwO1gUEnYtJUg9B
zpZNZmTO6rZqHUpu8TJl/1GEu887G12W9Ml3WXhJKLlckj7RNSsdJ4jql6FbrlOP
gOx6G8QAym1KnzUGcNEfrU8kxxEIWvnqE/oVktTswRmnQlImmKwADNRjWUAiHahB
QHPHP+45ckixYby6sf0m2RDuRLjnQC3ssfslNuIU3JqeAUr9Qv1xrWxMVBQ2jMuK
KtLmK5kHXj/qMoEExtETjHAmGYPa8e8CuFQbxEDsXUcDCbf6PIHf7bGQKgHuMfh8
ef+R1dVEU0U+cOmBeVr9EmsNbx47woEfQ3vFZcGWn2qIbizxWSxSwHoz8gl53HN2
fsh2HSIsjuX7GANpfRcgipwMOf0Hb1J1JGT9KW/DWYtGB664IfsgwOcM2pagtnrI
/WUsQW1Adg078cuKCz0AAl7/X40eEgTXykxA7pewmRaOvm6fUQIEJufHv5VSMvK2
IZWBmS4M1lUNwdOncHpEJfWpEXxyUIIpZzRBJOAUpwyFuKWZw4xTDg8f/NNPB1UG
UC//5l5nBoU=
=aeqq
-----END PGP SIGNATURE-----