Debian Bug report logs -
#885835
awstats: CVE-2017-1000501: path traversals in config and migrate parameter
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 30 Dec 2017 10:09:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions awstats/7.6+dfsg-1, awstats/7.2+dfsg-1
Fixed in versions awstats/7.6+dfsg-2, awstats/7.6+dfsg-1+deb9u1, awstats/7.2+dfsg-1+deb8u1
Done: Abhijith PA <abhijith@openmailbox.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sergey B Kirpichev <skirpichev@gmail.com>:
Bug#885835; Package src:awstats.
(Sat, 30 Dec 2017 10:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sergey B Kirpichev <skirpichev@gmail.com>.
(Sat, 30 Dec 2017 10:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: awstats
Version: 7.6+dfsg-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for awstats.
CVE-2017-1000501[0]:
Path traversal flaws
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501
[1] http://www.openwall.com/lists/oss-security/2017/12/29/1
[2] https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899
[3] https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev <skirpichev@gmail.com>:
Bug#885835; Package src:awstats.
(Sat, 13 Jan 2018 17:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Abhijith PA <abhijith@openmailbox.org>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev <skirpichev@gmail.com>.
(Sat, 13 Jan 2018 17:09:04 GMT) (full text, mbox, link).
Message #10 received at 885835@bugs.debian.org (full text, mbox, reply):
Hello.
I am working on updating awstats for jessie and stretch.
--
Abhijith PA
Marked as found in versions awstats/7.2+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Jan 2018 21:45:07 GMT) (full text, mbox, link).
Reply sent
to Adam Borowski <kilobyte@angband.pl>:
You have taken responsibility.
(Fri, 02 Feb 2018 01:39:21 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 02 Feb 2018 01:39:21 GMT) (full text, mbox, link).
Message #17 received at 885835-close@bugs.debian.org (full text, mbox, reply):
Source: awstats
Source-Version: 7.6+dfsg-2
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 885835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Borowski <kilobyte@angband.pl> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 02 Feb 2018 02:21:35 +0100
Source: awstats
Binary: awstats
Architecture: source
Version: 7.6+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Adam Borowski <kilobyte@angband.pl>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 885835
Changes:
awstats (7.6+dfsg-2) unstable; urgency=medium
.
* QA upload.
* Set maintainer to the QA team.
* Import fixes from Ubuntu.
+ CVE-2017-1000501, closes: #885835
+ but the fix for #858461 is incomplete
* Drop ancient versioned Recommends on an essential package.
Checksums-Sha1:
3bffe5ebc97835440f8c3f07976ac1947d3b40ba 1928 awstats_7.6+dfsg-2.dsc
41a5922390afb173565a09139b7f8f1a6ccafd6d 38052 awstats_7.6+dfsg-2.debian.tar.xz
f8a51ce8e1b05d51dbbeaf0ec191aba95e483af3 5341 awstats_7.6+dfsg-2_source.buildinfo
Checksums-Sha256:
4eb251227293203aed33e540a103bb96b9248385517b566b1f756b9770a7a27e 1928 awstats_7.6+dfsg-2.dsc
4499a730c0bd682d65e6dc712069218761ee6fd6c0614e758fb035c592cc49c7 38052 awstats_7.6+dfsg-2.debian.tar.xz
4be145aa32cbeacac8a31fd3ec420abc37d09785864c8d428bb8429f4351e2f9 5341 awstats_7.6+dfsg-2_source.buildinfo
Files:
f9409597dac443b175511d8a81576382 1928 web optional awstats_7.6+dfsg-2.dsc
e1a20dc076885bbcce800947addb3569 38052 web optional awstats_7.6+dfsg-2.debian.tar.xz
abb7790c49535c3567ac6a547ff92dc8 5341 web optional awstats_7.6+dfsg-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEkjZVexcMh/iCHArDweDZLphvfH4FAlpzvS4UHGtpbG9ieXRl
QGFuZ2JhbmQucGwACgkQweDZLphvfH5n1g//ayV1JDIwGyBqyXqAvyIWUe5Z8JJd
XlxFPA5/j31+/lcmI4gGg46V5NFz+kdxQXLJGKC8TlHWIzbCQ0WQp7L8s05/7Djs
7sZA1Yt7VmrqgL0peBQbYxZXSkJwplPAJazj4OF4N8CaKIbUPGDk7OL9x4woD8Qa
+wA96NCOqa7Z6y8Fg+s8TCgEiqb7fnLDIQUQZhTLXON8CAX93Kgc6UL31rnTlRBM
dXzrufna6dCXEbkXsAgMjyjU57sKbF66RMhUtZdKEnflu5OW0eEsgqDEAKm26fMV
uSiKPMnJ01IgdRh9cGfqDbl5+uSqMw3w07torAzzSibjULEVZknz64XPk4rI5utv
8MyBcdNuQBGP5/fw/z8yzuYAMtTKr4fBulCEbWozhxLfZnCbXIgyhR+Pev3RwOlD
eJSuwuWzrdVh8+qWrfyvxwgGgU87siTh4Xt7YNyritm+FoBGZJ13n604TMjH9vPV
zaIqfMCrW+SKP+B01Qcs320MuF6xgVNXe/nReAOXySdeqEv5I9JUCi4FcP6VYMhI
2yk4bHJvjdZGUlDC50mNJXLpjPHYY6XbTgcboxVkHAoXIWmozS+lYcFNDrieKFYp
fFcrd1ydgxAbuUeTHUt1lSBEblmSu+TQFcD1wFC+9VsYhvW7TGZhfj9qYGODkfXT
MkTUnaHH8UYjACo=
=y+LT
-----END PGP SIGNATURE-----
Reply sent
to Abhijith PA <abhijith@openmailbox.org>:
You have taken responsibility.
(Thu, 08 Feb 2018 21:21:26 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 08 Feb 2018 21:21:26 GMT) (full text, mbox, link).
Message #22 received at 885835-close@bugs.debian.org (full text, mbox, reply):
Source: awstats
Source-Version: 7.6+dfsg-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 885835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Abhijith PA <abhijith@openmailbox.org> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Jan 2018 02:48:32 +0000
Source: awstats
Binary: awstats
Architecture: source all
Version: 7.6+dfsg-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Sergey B Kirpichev <skirpichev@gmail.com>
Changed-By: Abhijith PA <abhijith@openmailbox.org>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 885835
Changes:
awstats (7.6+dfsg-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix traversal flaw in the handling of the "config" and "migrate"
parameters (CVE-2017-1000501) (Closes: #885835)
Checksums-Sha1:
f5cf046211a253bcf8ee8e79bf407b69ff7677c8 1583 awstats_7.6+dfsg-1+deb9u1.dsc
6238c3cc189a2e66bab612b9b1c7aab14dd8cc2e 2949231 awstats_7.6+dfsg.orig.tar.gz
52fd775b5d8bfb1f880a409310f5ca4db838996a 37492 awstats_7.6+dfsg-1+deb9u1.debian.tar.xz
6d0e6d356443d2a34439c3865b7e5a53cbe849ad 2001340 awstats_7.6+dfsg-1+deb9u1_all.deb
145eaa180d8e93a230ea97aa098215d59bac8902 10005 awstats_7.6+dfsg-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
d0bbfbf942dbbc497bf63e3cfbbd00bc0cb1a8e55a112438981be8d46c33fd69 1583 awstats_7.6+dfsg-1+deb9u1.dsc
ac19025ba103e65a1799f947d26562c0dd116d76414b461ad564fa36936a634e 2949231 awstats_7.6+dfsg.orig.tar.gz
9c87bf93b56dcb521a740a8e9c2cbf425108cfcba1416f7ddeebb9a7868c48b4 37492 awstats_7.6+dfsg-1+deb9u1.debian.tar.xz
197dd45bfc1bfd56161ca030962f27b066fbc3ce2c1bef3f11a58988e545dee3 2001340 awstats_7.6+dfsg-1+deb9u1_all.deb
9ffa71317917172d28b109562dd5eb230d99363aa2e56245a0113b5b6d733585 10005 awstats_7.6+dfsg-1+deb9u1_amd64.buildinfo
Files:
a2a74313f439613d60f3a84c7e24d1b9 1583 web optional awstats_7.6+dfsg-1+deb9u1.dsc
3e0c2847f87aab80e2a220ccb56a860c 2949231 web optional awstats_7.6+dfsg.orig.tar.gz
8c0c1c96281777df7551c941457396da 37492 web optional awstats_7.6+dfsg-1+deb9u1.debian.tar.xz
c98aa66771d474c5cddcaaaade39ebb8 2001340 web optional awstats_7.6+dfsg-1+deb9u1_all.deb
0bd3c6e74e3ede578fa0e1d77543f4f5 10005 web optional awstats_7.6+dfsg-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh4EL6Jg/PVnWQFAlphqvwACgkQEL6Jg/PV
nWTsTAf/R5oWWgmw1mEPieoamzP3CTFa0FhL4+JXqaTsfZ44HKvYASvy3hs9FvLj
YA5ybL2KMg7npyWwiccSr/vfH/E+ZM/FCteGxt7SNtS2JWJacRHFebLYGmx+jwtQ
yKzFLI4gcgRVbzncssOC/brhTPTZl7a07H3xoQfYxTpFoSAN15TLVzW54R3H1EOB
6YZzCCpshAZ1sgtBlBUANVZETPHSkl0SZe1FdswF1W8SZdybesm80i8v5HaSKZQi
jgrWifOTowWX8mS3rXR54I+f2kMLhBCH1NFb2YPY34Vz3ZWOZ1GQuBk9+pUU/qqq
jsN9xoH2IAf0pFw2h8PbPSUHltFAhQ==
=CrQn
-----END PGP SIGNATURE-----
Reply sent
to Abhijith PA <abhijith@openmailbox.org>:
You have taken responsibility.
(Sat, 10 Feb 2018 21:06:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Feb 2018 21:06:12 GMT) (full text, mbox, link).
Message #27 received at 885835-close@bugs.debian.org (full text, mbox, reply):
Source: awstats
Source-Version: 7.2+dfsg-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 885835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Abhijith PA <abhijith@openmailbox.org> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Jan 2018 11:18:18 +0530
Source: awstats
Binary: awstats
Architecture: source all
Version: 7.2+dfsg-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Sergey B Kirpichev <skirpichev@gmail.com>
Changed-By: Abhijith PA <abhijith@openmailbox.org>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 885835
Changes:
awstats (7.2+dfsg-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix traversal flaw in the handling of the "config" and "migrate"
parameters (CVE-2017-1000501) (Closes: #885835)
Checksums-Sha1:
9c74214c5f9a7e43fdcce925414b489b522c131a 1583 awstats_7.2+dfsg-1+deb8u1.dsc
7feee2245e1824a48797a25c933820eaf5b546c6 1274461 awstats_7.2+dfsg.orig.tar.gz
cbf0577e9c3cd419299fd22a2116e1b49b14bf1e 35864 awstats_7.2+dfsg-1+deb8u1.debian.tar.xz
2c0274e70c43b4030049c31814c4abc69f09050b 833350 awstats_7.2+dfsg-1+deb8u1_all.deb
Checksums-Sha256:
3b0612aa16626bf4594b3f97ba09f029eaadad97feac48085c86985618ccccb7 1583 awstats_7.2+dfsg-1+deb8u1.dsc
312f9b4b90bb9ca12722fb6327e28bda61dfa8c0aef83241054087b8656fa002 1274461 awstats_7.2+dfsg.orig.tar.gz
7af8862bc1b11031aeb00560d693c8cc9a0c0901097e28fbc366466a3f4e403e 35864 awstats_7.2+dfsg-1+deb8u1.debian.tar.xz
42a23abb8c9a3dd79bafaeada4013fcf66517199cb0ba616ad71b1f07594a6e8 833350 awstats_7.2+dfsg-1+deb8u1_all.deb
Files:
1a053e528ba8a290731ee4e32f011f55 1583 web optional awstats_7.2+dfsg-1+deb8u1.dsc
5327b3845c4715774abe1f0a31940140 1274461 web optional awstats_7.2+dfsg.orig.tar.gz
7c0a8dc76e5504fb0e2ef760c1b4b78f 35864 web optional awstats_7.2+dfsg-1+deb8u1.debian.tar.xz
d9d4d74d2c0a1108bff6f6674346d2f8 833350 web optional awstats_7.2+dfsg-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh4EL6Jg/PVnWQFAlphqQMACgkQEL6Jg/PV
nWRLZggAq6NxmS2D3m0JA8yv8t9r0dGrOZi8Thz3WT6liE4380YYiZ6I0zXyWZ6S
zW4KJF7mLYLA41F8OtBsOYFGGEqozKJ8fCNw/8zk+SVDUOdu3yUJv0UDnFSGXSjs
s4CTY2JABgtnnzCo0h/fxTMHUTnS40FctpzPSjCkLcVQgmGDeViXbj2yUq/d5l1S
WUHbJBFIgZfC6qo0gdIu2rVzhPbi27VQ/UJBd608y8OS5QjMsyaPk1ZFkLwlAoCR
Lt9hbhoP9bUNd1iSP3c3bZ8FTZec4MU/pqJM3HWt3WdOWD/K0eo9WIvQTwqvmnWw
mnDlqqACcQGPAfprZmqy0+SdXMQgnA==
=CZtc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Mar 2018 07:26:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:58:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon