Bug#291306: marked as done (awstats: possible remote command execution vulnerability (iDEFENSE))

Debian Bug Tracking System Wed, 16 Feb 2005 19:40:16 -0800

Your message dated Wed, 16 Feb 2005 22:17:06 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#291064: fixed in awstats 6.3-1
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Jan 2005 23:06:14 +0000
>From [EMAIL PROTECTED] Wed Jan 19 15:06:13 2005
Return-path: <[EMAIL PROTECTED]>
Received: from imap.gmx.net (mail.gmx.net) [213.165.64.20] 
        by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
        id 1CrOtx-0003Ce-00; Wed, 19 Jan 2005 15:06:13 -0800
Received: (qmail invoked by alias); 19 Jan 2005 23:05:41 -0000
Received: from pD9EB2452.dip0.t-ipconnect.de (EHLO test.wgdd.de) (217.235.36.82)
  by mail.gmx.net (mp011) with SMTP; 20 Jan 2005 00:05:41 +0100
X-Authenticated: #21856709
Received: from dl by test.wgdd.de with local (Exim 3.36 #1 (Debian))
        id 1CrOvl-0004FK-00; Thu, 20 Jan 2005 00:08:05 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Daniel Leidert <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: awstats: possible remote command execution vulnerability (iDEFENSE)
X-Mailer: reportbug 3.5
Date: Thu, 20 Jan 2005 00:08:05 +0100
Message-Id: <[EMAIL PROTECTED]>
Sender: Daniel Leidert <[EMAIL PROTECTED]>
X-Y-GMX-Trusted: 0
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: awstats
Version: 6.2-1
Severity: grave
Justification: user security hole

As published by iDEFENSE:

Remote exploitation of an input validation vulnerability in AWStats
allows attackers to execute arbitrary commands under the privileges of
the web server ...

http://www.idefense.com/application/poi/display?id=185

Please check for a possible vulnerability in the Debian package of
awstats.

Regards,
Daniel

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.10041210
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages awstats depends on:
ii  perl [libstorable-perl]       5.8.4-5    Larry Wall's Practical Extraction 

-- no debconf information

---------------------------------------
Received: (at 291064-close) by bugs.debian.org; 17 Feb 2005 03:23:39 +0000
>From [EMAIL PROTECTED] Wed Feb 16 19:23:39 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D1cGQ-0007dO-00; Wed, 16 Feb 2005 19:23:38 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1D1cA6-0003py-00; Wed, 16 Feb 2005 22:17:06 -0500
From: Jonas Smedegaard <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#291064: fixed in awstats 6.3-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 16 Feb 2005 22:17:06 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: awstats
Source-Version: 6.3-1

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.3-1.diff.gz
  to pool/main/a/awstats/awstats_6.3-1.diff.gz
awstats_6.3-1.dsc
  to pool/main/a/awstats/awstats_6.3-1.dsc
awstats_6.3-1_all.deb
  to pool/main/a/awstats/awstats_6.3-1_all.deb
awstats_6.3.orig.tar.gz
  to pool/main/a/awstats/awstats_6.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes: 
 awstats (6.3-1) unstable; urgency=high
 .
   * New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
     A. de Oliveira <[EMAIL PROTECTED]>).
     + Includes upstream fix for security bug fixed in 6.2-1.1.
     + Includes upstream fix for most of security bug fixed in 6.2-1.1.
   * Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
     Schulze <[EMAIL PROTECTED]>, Martin Pitt <[EMAIL PROTECTED]>, Ubuntu,
     Joey Hess <[EMAIL PROTECTED]>, Frank Lichtenheld <[EMAIL PROTECTED]> and 
Steve
     Langasek <[EMAIL PROTECTED]>).
   * Include patch for last parts of security bug fixed in 6.2-1.1:
     01_sanitize_more.patch.
   * Patch (02) to include snapshot of recent development:
     + Fix security hole that allowed a user to read log file content
       even when plugin rawlog was not enabled.
     + Fix a possible use of AWStats for a DoS attack.
     + configdir option was broken on windows servers.
     + DebugMessages is by default set to 0 for security reasons.
     + Minor fixes.
   * References:
     CAN-2005-0435 - read server logs via loadplugin and pluginmode
     CAN-2005-0436 - code injection via PluginMode
     CAN-2005-0437 - directory traversal via loadplugin
     CAN-2005-0438 - information leak via debug
Files: 
 2dc54b77fee571afaba6074465ee79fb 577 web optional awstats_6.3-1.dsc
 edb73007530a5800d53b9f1f90c88053 938794 web optional awstats_6.3.orig.tar.gz
 daf739c6af548309a9724afaf2631a69 22093 web optional awstats_6.3-1.diff.gz
 bafc77369b5e40d31b4df2f6ab0920d4 725768 web optional awstats_6.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCFAagn7DbMsAkQLgRAhpOAJwKYtnURAoOq/P0xIttjMkPZLYQfACgocV7
R2oNSNdLPwJWHdDToQrCcJ8=
=ySLo
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#291306: marked as done (awstats: possible remote command execution vulnerability (iDEFENSE))

Reply via email to