-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 23 Dec 2020 15:25:22 +0100 Source: awstats Binary: awstats Architecture: source Version: 7.6+dfsg-1+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Sergey B Kirpichev <skirpichev@gmail.com> Changed-By: Sylvain Beucler <beuc@debian.org> Description: awstats - powerful and featureful web server log analyzer Closes: 891469 977190 Changes: awstats (7.6+dfsg-1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2020-29600: cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501. (Closes: #891469) * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. (Closes: #977190) Checksums-Sha1: b44ab1b293214e075e313988b535c2b4ee636d54 1583 awstats_7.6+dfsg-1+deb9u2.dsc b0e1b64ed8fff6b61fc211f60034dac8bc1e90a5 38536 awstats_7.6+dfsg-1+deb9u2.debian.tar.xz 5af36cbce339bd13e96f94b5c0e067d6e1af6237 10157 awstats_7.6+dfsg-1+deb9u2_all.buildinfo Checksums-Sha256: cc7687562b18154e8daa642affd99b9c057b6345d3ccf8c97026576d045a5198 1583 awstats_7.6+dfsg-1+deb9u2.dsc b52f083995e34130ebd599cf2df0da557bdfb7f2f1042953c57b3bc1060c5b3d 38536 awstats_7.6+dfsg-1+deb9u2.debian.tar.xz 62e8618c071fe35e8b158525ac50aca50d1f94fb8ea7189f8e3e574e203b3769 10157 awstats_7.6+dfsg-1+deb9u2_all.buildinfo Files: 050e121da3a5f7f2a767302d68741908 1583 web optional awstats_7.6+dfsg-1+deb9u2.dsc cba415cd2a5e536af8bd172a14a1dc52 38536 web optional awstats_7.6+dfsg-1+deb9u2.debian.tar.xz f1730717b4bf848a1927843fae17286a 10157 web optional awstats_7.6+dfsg-1+deb9u2_all.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/jWGYACgkQj/HLbo2J BZ/STwf+KCos5MHCgr0TqYX/qkkORzTzNnDrkzBYTgaIIelPEV3CkK/anenF6XEo LpzC1i/f72edpa6obXo3rpljw2nk8LSZ5Dxab0M2pArnU0+uqqfMXXUtpXesF0QL HIY1wjR1iYyn/Vwpvxn+7Luzn1+QrqdumrRfAhtPt6f2nahoyGqA7qXGyeKF2QlU zCH8C4Cjz4f6bh6ZONo+XO2nOq4XNK9VtrMfIiyAQqI1ZncsbCaEa/A77t0PJr7P 0XN7xnhi6iE+u1ZtmE7vpXt8BNENyKfV4AK0SaNmHKPeO2ytB5ntZ1FULqABPBiK AYSQfwlUS2p+rhzRYWp/hoh/xzmqew== =Qg50 -----END PGP SIGNATURE-----