Control: severity -1 serious On Sat, Dec 12, 2020 at 10:18:21AM +0100, Salvatore Bonaccorso wrote: > Source: awstats > Version: 7.8-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/eldy/awstats/issues/195 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for awstats, which is a > followup to CVE-2020-29600 (incomplete fix for it, and previously > CVE-2017-1000501, cf. #891469). > > CVE-2020-35176[0]: > | In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial > | absolute pathname (omitting the initial /etc), even though it was > | intended to only read a file in the /etc/awstats/awstats.conf format. > | NOTE: this issue exists because of an incomplete fix for > | CVE-2017-1000501 and CVE-2020-29600.
I'm raising the severity of this issue to RC. Rationale behind this: The package is currently basically QA maintained but has open security issues. That assures we have it either not in bullseye or with the issues fixed in bullseye. Regards, Salvatore
