Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4545 awstats security update 24 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: awstats Publisher: Debian Operating System: Debian GNU/Linux Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-35176 CVE-2020-29600 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2506 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running awstats check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2506-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ December 23, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : awstats Version : 7.6+dfsg-1+deb9u2 CVE ID : CVE-2020-29600 CVE-2020-35176 Debian Bug : 891469 977190 It was discovered that Awstats, a web server log analyzer, was vulnerable to path traversal attacks. A remote unauthenticated attacker could leverage that to perform arbitrary code execution. The previous fix did not fully address the issue when the default /etc/awstats/awstats.conf is not present. For Debian 9 stretch, this problem has been fixed in version 7.6+dfsg-1+deb9u2. We recommend that you upgrade your awstats packages. For the detailed security status of awstats please refer to its security tracker page at: https://security-tracker.debian.org/tracker/awstats Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/jXPMACgkQj/HLbo2J BZ8ffQf/S9j+l7tp4Fr1YLM5ay6+KnE4R990cqE4SeoWdlPFRE+LWsvEB99wjCcq Vu96Iirug69cgguN/nIxl+TiD4mp3Udv7uqFshyGl1N2vDV1c4/0U3B7rvYseboe TefuqBTNtzQGDZWDnddZx/1mM1INifNw06ZFjx2SNolgXvtsbt1vBaj/9lFVfYor DX3BatpUVe/+V9Idm4bOsObvyWFJzars2UeGaTrzVAI7JGP8RlrETGBh99CnPfmX zot9Tm45o+wuQUHIJ/uETVxoggjJ6pu1pmvYNQTVyLY/gYL2s0qZ0Xc8yFZ5t+nb fYf/Qdgv0MRnnS09PcUf9t9AXU7hUw== =lkgC - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX+PAneNLKJtyKPYoAQiatQ//VMtJo08/ydtvUGz7df6Xu+HnCgv0QkKG 7WpYCAo/Ez0JFHOXke6TlUW8yZw2/cQR5GZs5twgCCFUFzGq8oIbgDwVy/OrdAK7 0Arp9mRMCnt/4c47ydhLwqcE3ukGcy9snpwwKrllMS1tiAR6jTwO1gUEnYtJUg9B zpZNZmTO6rZqHUpu8TJl/1GEu887G12W9Ml3WXhJKLlckj7RNSsdJ4jql6FbrlOP gOx6G8QAym1KnzUGcNEfrU8kxxEIWvnqE/oVktTswRmnQlImmKwADNRjWUAiHahB QHPHP+45ckixYby6sf0m2RDuRLjnQC3ssfslNuIU3JqeAUr9Qv1xrWxMVBQ2jMuK KtLmK5kHXj/qMoEExtETjHAmGYPa8e8CuFQbxEDsXUcDCbf6PIHf7bGQKgHuMfh8 ef+R1dVEU0U+cOmBeVr9EmsNbx47woEfQ3vFZcGWn2qIbizxWSxSwHoz8gl53HN2 fsh2HSIsjuX7GANpfRcgipwMOf0Hb1J1JGT9KW/DWYtGB664IfsgwOcM2pagtnrI /WUsQW1Adg078cuKCz0AAl7/X40eEgTXykxA7pewmRaOvm6fUQIEJufHv5VSMvK2 IZWBmS4M1lUNwdOncHpEJfWpEXxyUIIpZzRBJOAUpwyFuKWZw4xTDg8f/NNPB1UG UC//5l5nBoU= =aeqq -----END PGP SIGNATURE-----