Debian-LTS has issued an advisory on December 23: https://www.debian.org/lts/security/2020/dla-2506 CVE-2020-35176 is for an incomplete fix for the first CVE, so we need to fix it too, but it won't be in the advsiory. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Patched packages uploaded for Mageia 7 and Cauldron. Advisory: ======================== Updated awstats package fixes security vulnerability: It was discovered that Awstats was vulnerable to path traversal attacks. A remote unauthenticated attacker could leverage that to perform arbitrary code execution. The previous fix did not fully address the issue when the default /etc/awstats/awstats.conf is not present (CVE-2020-29600). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29600 https://www.debian.org/lts/security/2020/dla-2506 ======================== Updated packages in core/updates_testing: ======================== awstats-7.7-1.1.mga7 from awstats-7.7-1.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: bugsquad => qa-bugsSource RPM: awstats-7.8-1.mga8.src.rpm => awstats-7.7-1.mga7.src.rpm
Fedora has issued an advisory for this on January 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/47QZWKSRZYZFESYTLSW7A6KVKOOPL7IV/
Installed and tested without issue. Tested with apache httpd daemon and existing apache logs. No issues noticed. One thing I should mention is that there is no access restriction to the awstats. Maybe restricting access to localhost only would be a better default, security and privacy wise. System: Mageia 7, x86_64, Apache, Intel CPU. $ uname -a Linux marte 5.10.6-desktop-1.mga7 #1 SMP Sat Jan 9 20:09:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q awstats awstats-7.7-1.1.mga7 $ systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-01-14 10:43:40 WET; 14min ago Main PID: 378 (httpd) Status: "Total requests: 130; Idle/Busy workers 100/0;Requests/sec: 0.153; Bytes served/sec: 1.2KB/sec" Tasks: 66 (limit: 4695) Memory: 33.1M CGroup: /system.slice/httpd.service ├─378 /usr/sbin/httpd -DFOREGROUND ├─381 /usr/sbin/httpd -DFOREGROUND └─382 /usr/sbin/httpd -DFOREGROUND jan 14 10:43:40 marte systemd[1]: Starting The Apache HTTP Server... jan 14 10:43:40 marte systemd[1]: Started The Apache HTTP Server.
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CC: (none) => ouaurelienCVE: (none) => CVE-2020-29600Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0024.html
Status: NEW => RESOLVEDResolution: (none) => FIXED