UbuntuUpdates.org

Package "awstats"

Name: awstats

Description:

powerful and featureful web server log analyzer

Latest version: 7.6+dfsg-2ubuntu0.20.04.2
Release: focal (20.04)
Level: updates
Repository: main
Homepage: http://awstats.sourceforge.net/

Links


Download "awstats"


Other versions of "awstats" in Focal

Repository Area Version
base main 7.6+dfsg-2
security main 7.6+dfsg-2ubuntu0.20.04.2

Changelog

Version: 7.6+dfsg-2ubuntu0.20.04.2 2023-02-28 13:06:58 UTC

  awstats (7.6+dfsg-2ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: cross site scripting
    - debian/patches/CVE-2022-46391.patch: fix XSS in hostinfo plugin due to
      printing whois response without proper checks.
    - CVE-2022-46391

 -- Fabian Toepfer <email address hidden> Mon, 27 Feb 2023 21:27:24 +0100

Source diff to previous version
CVE-2022-46391 AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.

Version: 7.6+dfsg-2ubuntu0.20.04.1 2021-05-13 19:06:25 UTC

  awstats (7.6+dfsg-2ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: Path traversal
    - debian/patches/CVE-2020-29600.patch: Disable parsing arbitrary files in
      wwwroot/cgi-bin/awstats.pl, introduced by an incomplete fix for
      CVE-2017-1000501.
    - CVE-2020-29600
  * SECURITY UPDATE: Path traversal
    - debian/patches/CVE-2020-35176.patch: Disable parsing /etc/ dir in
      wwwroot/cgi-bin/awstats.pl, introduced by an incomplete fix for
      CVE-2017-1000501.
    - CVE-2020-35176

 -- Avital Ostromich <email address hidden> Mon, 19 Apr 2021 21:24:07 -0400

CVE-2020-29600 In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/
CVE-2017-1000501 Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthen
CVE-2020-35176 In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to on



About   -   Send Feedback to @ubuntu_updates