Debian-LTS has issued an advisory on December 23:
CVE-2020-35176 is for an incomplete fix for the first CVE, so we need to fix it too, but it won't be in the advsiory.
Mageia 7 is also affected.
Patched packages uploaded for Mageia 7 and Cauldron.
Updated awstats package fixes security vulnerability:
It was discovered that Awstats was vulnerable to path traversal attacks. A
remote unauthenticated attacker could leverage that to perform arbitrary code
execution. The previous fix did not fully address the issue when the default
/etc/awstats/awstats.conf is not present (CVE-2020-29600).
Updated packages in core/updates_testing:
Fedora has issued an advisory for this on January 8:
Installed and tested without issue.
Tested with apache httpd daemon and existing apache logs. No issues noticed.
One thing I should mention is that there is no access restriction to the awstats.
Maybe restricting access to localhost only would be a better default, security and privacy wise.
System: Mageia 7, x86_64, Apache, Intel CPU.
$ uname -a
Linux marte 5.10.6-desktop-1.mga7 #1 SMP Sat Jan 9 20:09:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q awstats
$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2021-01-14 10:43:40 WET; 14min ago
Main PID: 378 (httpd)
Status: "Total requests: 130; Idle/Busy workers 100/0;Requests/sec: 0.153; Bytes served/sec: 1.2KB/sec"
Tasks: 66 (limit: 4695)
├─378 /usr/sbin/httpd -DFOREGROUND
├─381 /usr/sbin/httpd -DFOREGROUND
└─382 /usr/sbin/httpd -DFOREGROUND
jan 14 10:43:40 marte systemd: Starting The Apache HTTP Server...
jan 14 10:43:40 marte systemd: Started The Apache HTTP Server.
Validating. Advisory in Comment 1.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.