Fedora has issued an advisory on April 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GP4DGW2LGHINXKYPZWR2WJ5DMROGGO66/ Fix: https://src.fedoraproject.org/rpms/awstats/blob/f91f27415409491af9d6f841a6fe69e152ced526/f/awstats-CVE-2025-63261.patch
Flags: (none) => affects_mga9+Source RPM: (none) => awstats-8.0-1.mga10.src.rpm, awstats-7.9-1.mga9.src.rpmCVE: (none) => CVE-2025-63261Whiteboard: (none) => MGA9TOOStatus comment: (none) => Patch available from Fedora
For Cauldron, I asked for a freeze move. Suggested advisory: ======================== The updated package fixes a security vulnerability: AWStats 8.0 is vulnerable to Command Injection via the open function. (CVE-2025-63261) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GP4DGW2LGHINXKYPZWR2WJ5DMROGGO66/ ======================== Updated package in core/updates_testing: ======================== awstats-7.9-1.1.mga9 from SRPM: awstats-7.9-1.1.mga9.src.rpm
Status comment: Patch available from Fedora => (none)Source RPM: awstats-8.0-1.mga10.src.rpm, awstats-7.9-1.mga9.src.rpm => awstats-7.9-1.mga9.src.rpmStatus: NEW => ASSIGNEDFlags: affects_mga9+ => (none)Version: Cauldron => 9Assignee: bugsquad => qa-bugsWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
The update package installed without issue. There is one issue. When clicking the "Update" link on the awstats page the following message is shown and the page is not updated. """ Error: Couldn't open file "/var/lib/awstats/awstats042026.tmp.2547328" for write: Permission denied Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). """ This issue is caused by the ownership (or permissions) of the directory /var/lib/awstats. The awstats script runs as the HTTP server user (apache in my case) so it does not have write access to the directory /var/lib/awstats, which is owned by root. The periodic stats updates run though cron (or equivalent) work correctly since the cron script runs as root. Giving rwx permissions to user apache for the directory /var/lib/awstats solves the issue (setfacl -m u:apache:rwx /var/lib/awstats). Changing the ownership to apache:apache would also work. Since the awstats package comes preconfigured to work with the Apache HTTP server, I think this issue should be fixed so that awstats is fully functional in the default configuration. Anyway, I will leave it to the packager to decide if the above issue needs attention, or if the package is OK as is. All else seems to be working correctly. System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.130-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Mar 26 04:13:58 UTC 2026 x86_64 GNU/Linux $ rpm -q awstats awstats-7.9-1.1.mga9 $ systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: active (running) since Thu 2026-04-30 09:50:29 WEST; 46min ago Main PID: 2539002 (httpd) Status: "Total requests: 770; Idle/Busy workers 100/0;Requests/sec: 0.278; Bytes served/sec: 3.9KB/sec" Tasks: 54 (limit: 18732) Memory: 49.7M CPU: 17.940s CGroup: /system.slice/httpd.service ├─2539002 /usr/sbin/httpd -DFOREGROUND ├─2539003 /usr/sbin/httpd -DFOREGROUND └─2539004 /usr/sbin/httpd -DFOREGROUND abr 30 09:50:29 marte systemd[1]: Starting httpd.service... abr 30 09:50:29 marte systemd[1]: Started httpd.service.
CC: (none) => mageia
MGA9-64 server Plasma Wayland on Compaq H000SB. No installation issues. I have no clue what us meant by ""Update" link on the awstats page" so I first installed the previous version and run the command as in bug 31230 Comment 3 and get the same result which seemed OK. Installed the newer version and run that command again, but because it does not find anything, it does not write a file. Did as in previous update and rummaged in phpmyadmin and run the commans again; # /usr/share/awstats/www/awstats.pl -config=awstats.conf -update Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.9 (build 20230108) From data in log file "/var/log/httpd/access_log"... Phase 1 : First bypass old records, searching new record... Searching new records from beginning of log file... Phase 2 : Now process new records (Flush history on disk after 20000 hosts)... Jumped lines in file: 0 Parsed lines in file: 140 Found 0 dropped records, Found 0 comments, Found 0 blank records, Found 0 corrupted records, Found 0 old records, Found 140 new qualified records. Checked and found a file created awstats052026.txt in /var/lib/awstats, owned by root. And /var/lib/awstats is also owned by root. Trying to run as another user will af course then fail. So, is awstats meant to be run only by user root???
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #3) > Trying to run as another user will af course then fail. > So, is awstats meant to be run only by user root??? In the awstats web page, at the top, there is a "Update" link. If /var/lib/awstats has the default permission, clicking that link will show the error message I mentioned in comment 2. Adding write permissions for the apache user to the /var/lib/awstats directory will resolve that issue, and the stats will be updated if and when the user click that link.
But again, what is that awstats web page yoou write about???
(In reply to Herman Viaene from comment #5) > But again, what is that awstats web page yoou write about??? The web pages at "https://localhost/awstats/". If you are accessing the computer with awstats remotely, change the localhost to the appropriate domain name, or IP. These web pages show web stats, and at the top of the pages there is an "Update" link. Click on that link and you will see the error message.
This is a security update so we need to push this forward, as is or with some changes. What do you think should be done, Herman Viaene?
Well,whether I approach the website locally or remotely, I don't see an "Update" link. All I get on top of the page is a frame with at right a link to the Awstats Web site" and in the middle the current date and checkboxes to select the reporting period and an "OK" button". And the contents seems OK to me. So as far as I can see it, I woild not object to let it go.
Created attachment 15565 [details] Screenshot of the awstats webpage with the "Update" link.
Maybe I changed the settings from the default. If the default does not show the update link then my issue is not important. I'm giving this update the OK for x86_64.
Whiteboard: (none) => MGA9-64-OKFlags: (none) => test_passed_mga9_64+
No, that link is not there in my tests. Agree on the OK.
Thanks, guys. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0138.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED