Package "awstats"

Name: awstats


powerful and featureful web server log analyzer

Latest version: 7.6+dfsg-2ubuntu0.18.04.1
Release: bionic (18.04)
Level: updates
Repository: main
Homepage: http://awstats.sourceforge.net/


Download "awstats"

Other versions of "awstats" in Bionic

Repository Area Version
base main 7.6+dfsg-2
security main 7.6+dfsg-2ubuntu0.18.04.1


Version: 7.6+dfsg-2ubuntu0.18.04.1 2021-05-13 19:06:23 UTC

  awstats (7.6+dfsg-2ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Path traversal
    - debian/patches/CVE-2020-29600.patch: Disable parsing arbitrary files in
      wwwroot/cgi-bin/awstats.pl, introduced by an incomplete fix for
    - CVE-2020-29600
  * SECURITY UPDATE: Path traversal
    - debian/patches/CVE-2020-35176.patch: Disable parsing /etc/ dir in
      wwwroot/cgi-bin/awstats.pl, introduced by an incomplete fix for
    - CVE-2020-35176

 -- Avital Ostromich <email address hidden> Mon, 19 Apr 2021 21:27:22 -0400

CVE-2020-29600 In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/
CVE-2017-1000501 Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthen
CVE-2020-35176 In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to on

About   -   Send Feedback to @ubuntu_updates