UbuntuUpdates.org

Package "awstats"

Name: awstats

Description:

powerful and featureful web server log analyzer
Latest version: 7.6+dfsg-2ubuntu0.20.04.2
Release: focal (20.04)
Level: updates
Repository: main
Homepage: http://awstats.sourceforge.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "awstats"

All arch deb package
APT INSTALL

Other versions of "awstats" in Focal

Repository Area Version
base main 7.6+dfsg-2
security main 7.6+dfsg-2ubuntu0.20.04.2

Changelog

Version: 7.6+dfsg-2ubuntu0.20.04.2 2023-02-28 13:06:58 UTC

  awstats (7.6+dfsg-2ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: cross site scripting
    - debian/patches/CVE-2022-46391.patch: fix XSS in hostinfo plugin due to
      printing whois response without proper checks.
    - CVE-2022-46391

 -- Fabian Toepfer <email address hidden> Mon, 27 Feb 2023 21:27:24 +0100
Source diff to previous version
CVE-2022-46391 AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.

Version: 7.6+dfsg-2ubuntu0.20.04.1 2021-05-13 19:06:25 UTC

  awstats (7.6+dfsg-2ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: Path traversal
    - debian/patches/CVE-2020-29600.patch: Disable parsing arbitrary files in
      wwwroot/cgi-bin/awstats.pl, introduced by an incomplete fix for
      CVE-2017-1000501.
    - CVE-2020-29600
  * SECURITY UPDATE: Path traversal
    - debian/patches/CVE-2020-35176.patch: Disable parsing /etc/ dir in
      wwwroot/cgi-bin/awstats.pl, introduced by an incomplete fix for
      CVE-2017-1000501.
    - CVE-2020-35176

 -- Avital Ostromich <email address hidden> Mon, 19 Apr 2021 21:24:07 -0400
CVE-2020-29600 In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/
CVE-2017-1000501 Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthen
CVE-2020-35176 In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to on


About   -   Send Feedback to @ubuntu_updates