Two security issues fixed upstream in awstats have been announced: http://openwall.com/lists/oss-security/2017/12/27/1 The commits to fix the issues are linked in the message above. CVEs have been requested but not assigned yet. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Patches applied on cauldron with updated submitted to testing on mga5 and mga6 - see http://pkgsubmit.mageia.org/ .
Assignee: shlomif => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOStatus: NEW => ASSIGNED
Advisory: ======================== Updated awstats package fixes security vulnerabilities: The cPanel Security Team discovered two path traversal flaws in awstats in the "config" and "migrate" parameters that could be leveraged for unauthenticated remote code execution. References: http://openwall.com/lists/oss-security/2017/12/27/1 ======================== Updated packages in core/updates_testing: ======================== awstats-7.3-3.1.mga5 awstats-7.5-1.1.mga6 from SRPMS: awstats-7.3-3.1.mga5.src.rpm awstats-7.5-1.1.mga6.src.rpm
MGA5-32 on Dell Latitude D600 Xfce No installation issues Looking for info, found bug 7520 with files to use in test, but things may have changed in the mean time. After putting the files in place I get: # /usr/share/awstats/www/awstats.pl -config=awstats.conf -update Error: Plugin load for plugin 'ipv6' failed with return code: Error: Can't locate Net/IP.pm in @INC (you may need to install the Net::IP module) (@INC contains: /usr/lib/perl5/site_perl/5.20.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.20.1 /usr/lib/perl5/vendor_perl/5.20.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.20.1 /usr/lib/perl5/5.20.1/i386-linux-thread-multi /usr/lib/perl5/5.20.1 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.20.1 /usr/lib/perl5/vendor_perl/5.20.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl . /usr/share/awstats/lib /usr/share/awstats/plugins) at (eval 2) line 1. Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). Googling put me on another path # perl awstats_configure.pl ----- AWStats awstats_configure 1.0 (build 20140126) (c) Laurent Destailleur ----- This tool will help you to configure AWStats to analyze statistics for one web server. You can try to use it to let it do all that is possible in AWStats setup, however following the step by step manual setup documentation (docs/index.html) is often a better idea. Above all if: - You are not an administrator user, - You want to analyze downloaded log files without web server, - You want to analyze mail or ftp log files instead of web log files, - You need to analyze load balanced servers log files, - You want to 'understand' all possible ways to use AWStats... Read the AWStats documentation (docs/index.html). -----> Running OS detected: Linux, BSD or Unix Warning: AWStats standard directory on Linux OS is '/usr/local/awstats'. If you want to use standard directory, you should first move all content of AWStats distribution from current directory: /usr/share/awstats to standard directory: /usr/local/awstats And then, run configure.pl from this location. Do you want to continue setup from this NON standard directory [yN] ? y -----> Check for web server install Enter full config file path of your Web server. Example: /etc/httpd/httpd.conf Example: /usr/local/apache2/conf/httpd.conf Example: c:\Program files\apache group\apache\conf\httpd.conf Config file path ('none' to skip web server setup): > /etc/httpd/httpd.conf - This file does not exists. Config file path ('none' to skip web server setup): > /etc/httpd/conf/httpd.conf -----> Check and complete web server config file '/etc/httpd/conf/httpd.conf' Add 'Alias /awstatsclasses "/usr/share/awstats/wwwroot/classes/"' Add 'Alias /awstatscss "/usr/share/awstats/wwwroot/css/"' Add 'Alias /awstatsicons "/usr/share/awstats/wwwroot/icon/"' Add 'ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/"' Add '<Directory>' directive AWStats directives added to Apache config file. -----> Need to create a new config file ? Do you want me to build a new AWStats config/profile file (required if first install) [y/N] ? y -----> Define config file name to create What is the name of your web site or profile analysis ? Example: www.mysite.com Example: demo Your web site, virtual server or profile name: > www.hermanviaene.be -----> Define config file path In which directory do you plan to store your config file(s) ? Default: /etc/awstats Directory path to store config file(s) (Enter for default): > -----> Create config file '/etc/awstats/awstats.www.hermanviaene.be.conf' Error: Failed to open '/usr/share/awstats/wwwroot/cgi-bin/awstats.model.conf' for read. I found out that the whole wwwroot folder is not present, its www, and it contains folders css, icon and js, the other mentioned above are not there. Spending to much time on it now.
CC: (none) => herman.viaene
CVE assignment: http://openwall.com/lists/oss-security/2017/12/29/1 Advisory: ======================== Updated awstats package fixes security vulnerabilities: The cPanel Security Team discovered two path traversal flaws in awstats in the "config" and "migrate" parameters that could be leveraged for unauthenticated remote code execution (CVE-2017-1000501). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501 http://openwall.com/lists/oss-security/2017/12/29/1
Summary: awstats new path traversal security issues => awstats new path traversal security issues (CVE-2017-1000501)
CC: (none) => davidwhodginsKeywords: (none) => advisory
Ran the cron job, restarted httpd.service, and confirmed that http://localhost/awstats/ shows info. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0045.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED