Your message dated Mon, 19 Sep 2005 14:47:19 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#322591: fixed in awstats 6.4-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Aug 2005 16:45:52 +0000
>From [EMAIL PROTECTED] Thu Aug 11 09:45:51 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail01.pironet-ndh.com (mail.pironet-ndh.com) [194.64.31.10]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E3GBj-00038Y-00; Thu, 11 Aug 2005 09:45:51 -0700
Received: from mail.fbn-dd.de (mail.fbn-dd.de [195.227.105.178])
by mail.pironet-ndh.com (Postfix) with ESMTP id A5E5B55E3D2;
Thu, 11 Aug 2005 18:45:19 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de
(192-168-0-1.transfer-000.intranet.fbn-dd.de [192.168.0.1])
by mail.fbn-dd.de (Postfix) with ESMTP
id 101A734ED5; Thu, 11 Aug 2005 18:44:57 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP
id 3D843203D9; Thu, 11 Aug 2005 18:44:56 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de (localhost [127.0.0.1])
by localhost (AvMailGate-2.0.1.16) id 18002-2E0CA844;
Thu, 11 Aug 2005 18:44:56 +0200
Received: from localhost.localdomain (10-28-130-200.intranet-28-130.fbn-dd.de
[10.28.130.200])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP
id 1290D203D9; Thu, 11 Aug 2005 18:44:56 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
id 0DF885B3A; Thu, 11 Aug 2005 18:44:56 +0200 (CEST)
Date: Thu, 11 Aug 2005 18:44:56 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: Debian BTS Submit <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: awstats: [CAN-2005-1527] arbitrary command injection
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.16; AVE: 6.31.1.0;
VDF: 6.31.1.97; host: sonne)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: awstats
Version: 6.4-1
Severity: grave
Tags: patch security
Hi!
awstats is vulnerable to a command injection flaw in crafted referer
URLs. Details are at:
http://www.idefense.com/application/poi/display?id=3D290&type=3Dvulnerabi=
lities
This is CAN-2005-1527, please mention it in the changelog.
You can get the Ubuntu patch from
http://patches.ubuntu.com/patches/awstats.CAN-2005-1527.diff
The patch is not really minimal since it replaces _all_ eval calls
with their equivalent, but faster and safer counterparts (soft
references), though. So if you prefer a minimal patch, this would be
it:
--- awstats-6.4/wwwroot/cgi-bin/awstats.pl 2005-08-11 18:20:39.000000000
+0=
200
+++ awstats-6.4.new/wwwroot/cgi-bin/awstats.pl 2005-08-11 18:21:14.00000000=
0 +0200
@@ -4838,8 +4856,10 @@
=20
# Call to plugins' function ShowInfoURL
foreach my $pluginname (keys %{$PluginsLoaded{'ShowInfoURL'}}) {
- my $function=3D"ShowInfoURL_$pluginname('$url')";
- eval("$function");
+# my $function=3D"ShowInfoURL_$pluginname('$url')";
+# eval("$function");
+ my $function=3D"ShowInfoURL_$pluginname";
+ &$function($url);
}
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC+4CIDecnbV4Fd/IRAg6SAKC1S5/PeccB5Ohtz9ibzZOQBvk4AwCfT1RQ
RUnNSEemMovd6/zBRAx2M+U=
=CAyZ
-----END PGP SIGNATURE-----
--2fHTh5uZTiUOsy+g--
---------------------------------------
Received: (at 322591-close) by bugs.debian.org; 19 Sep 2005 21:52:40 +0000
>From [EMAIL PROTECTED] Mon Sep 19 14:52:40 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EHTTr-00042t-00; Mon, 19 Sep 2005 14:47:19 -0700
From: Jonas Smedegaard <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#322591: fixed in awstats 6.4-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 19 Sep 2005 14:47:19 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: awstats
Source-Version: 6.4-2
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_6.4-2.diff.gz
to pool/main/a/awstats/awstats_6.4-2.diff.gz
awstats_6.4-2.dsc
to pool/main/a/awstats/awstats_6.4-2.dsc
awstats_6.4-2_all.deb
to pool/main/a/awstats/awstats_6.4-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Sep 2005 22:41:16 +0200
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.4-2
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 313093 316126 322591
Changes:
awstats (6.4-2) unstable; urgency=low
.
[ Charles Fry ]
* New co-maintainer.
* Suggest libgeo-ipfree-perl. Closes: #316126 (thanks to Gunnar Wolf
<[EMAIL PROTECTED]>).
* Fixed README.Debian path to configure.pl. Closes: #313093 (thanks to
Michael De Nil <[EMAIL PROTECTED]>).
.
[ Jonas Smedegaard ]
* Acknowledge NMU. Closes: bug#322591.
* Bump up watch version, and adjust the default command (we have moved
to SubVerSion).
* Add proto to URL in long description.
* User newer chown syntax in postinst (thanks to lintian).
Files:
2b7ad550a508b177bfb3a4bb0c327345 624 web optional awstats_6.4-2.dsc
2195106eae8f3549ce11cfb5bd0f72c8 18310 web optional awstats_6.4-2.diff.gz
c2b2d602f64ab55cb92a3a7c54ce1cd8 728460 web optional awstats_6.4-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDLyOhn7DbMsAkQLgRAixdAJ9S1MwOlOOTmKRrWr6YvQmQfB+ZhACePD19
8y2alwQ4pm2m6f0D4uyCJ6k=
=8kL4
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
