Debian Bug report logs - #606263
Multiple security issues

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Multiple security issues

Date: Tue, 07 Dec 2010 22:40:59 +0100

Package: awstats
Severity: grave
Tags: security

Multiple security issues have been reported in awstats. The information
is a bit fishy an at least one issue is Windows-only. Please get in
contact with upstream and ask them for a more clear description of
the problem and isolated patches for the 6.95 version in Squeeze (at
this point at the release process an update to 7.0 it out of the
question):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4367 

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages awstats depends on:
ii  perl [libtime-hires-perl]     5.10.1-16  Larry Wall's Practical Extraction 

Versions of packages awstats recommends:
pn  libnet-xwhois-perl            <none>     (no description available)

Versions of packages awstats suggests:
pn  apache | httpd                <none>     (no description available)
pn  libgeo-ipfree-perl            <none>     (no description available)
ii  libnet-dns-perl               0.66-2     Perform DNS queries from a Perl sc
ii  libnet-ip-perl                1.25-2     Perl extension for manipulating IP

Message #10 received at 606263@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: Moritz Muehlenhoff <jmm@debian.org>, 606263@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [Pkg-awstats-devel] Bug#606263: Multiple security issues

Date: Wed, 15 Dec 2010 02:53:02 +0300

tag 606263 pending
thanks

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4369

Fixed in repo:
http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=aaf089d10ce4e12e6d499089407d93c62511e9c0

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4368
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4367

Fixed in repo:
http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=1f56eefe28c8d25b51f070ba4d29db7203355af0
http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=fb1436bc846ff40ab84e981ac07632cd1f0a4f95

Message #17 received at 606263@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Sergey B Kirpichev <skirpichev@gmail.com>, 606263@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#606263: [Pkg-awstats-devel] Bug#606263: Multiple security issues

Date: Thu, 23 Dec 2010 18:30:02 +0100

[Message part 1 (text/plain, inline)]

On Wed, Dec 15, 2010 at 02:53:02 +0300, Sergey B Kirpichev wrote:

> tag 606263 pending
> thanks
> 
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4369
> 
> Fixed in repo:
> http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=aaf089d10ce4e12e6d499089407d93c62511e9c0
> 
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4368
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4367
> 
> Fixed in repo:
> http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=1f56eefe28c8d25b51f070ba4d29db7203355af0
> http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=fb1436bc846ff40ab84e981ac07632cd1f0a4f95
> 
Why is this still not uploaded?

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 606263@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: Julien Cristau <jcristau@debian.org>, 606263@bugs.debian.org

Cc: Sergey B Kirpichev <skirpichev@gmail.com>, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: [Pkg-awstats-devel] Bug#606263: Bug#606263: Multiple security issues

Date: Fri, 24 Dec 2010 00:00:15 +0100

[Message part 1 (text/plain, inline)]

On Thu, Dec 23, 2010 at 06:30:02PM +0100, Julien Cristau wrote:
>On Wed, Dec 15, 2010 at 02:53:02 +0300, Sergey B Kirpichev wrote:
>
>> tag 606263 pending
>> thanks
>>
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4369
>>
>> Fixed in repo:
>> http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=aaf089d10ce4e12e6d499089407d93c62511e9c0
>>
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4368
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4367
>>
>> Fixed in repo:
>> http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=1f56eefe28c8d25b51f070ba4d29db7203355af0
>> http://git.debian.org/?p=collab-maint/awstats.git;a=commit;h=fb1436bc846ff40ab84e981ac07632cd1f0a4f95
>>
>Why is this still not uploaded?

No good reason.  I am on it already.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 606263-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 606263-close@bugs.debian.org

Subject: Bug#606263: fixed in awstats 6.9.5~dfsg-5

Date: Thu, 23 Dec 2010 23:32:08 +0000

Source: awstats
Source-Version: 6.9.5~dfsg-5

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.9.5~dfsg-5.debian.tar.gz
  to main/a/awstats/awstats_6.9.5~dfsg-5.debian.tar.gz
awstats_6.9.5~dfsg-5.dsc
  to main/a/awstats/awstats_6.9.5~dfsg-5.dsc
awstats_6.9.5~dfsg-5_all.deb
  to main/a/awstats/awstats_6.9.5~dfsg-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606263@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Dec 2010 00:05:07 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.9.5~dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 606263
Changes: 
 awstats (6.9.5~dfsg-5) unstable; urgency=high
 .
   [ Sergey B Kirpichev ]
   * Bump up Standards-Version to 3.9.1.
   * Remove examples/staticpages.sh.
   * Take sucurity fixes from upstream CVS:
     - CVE-2010-4369: patch 0009 (closes directory traversal vulnerability via
       crafted LoadPlugin directory).
     - CVE-2010-4367(and CVE-2010-4368): update patch 1002 (sanitize configdir,
       disable overwriting of configdir parameter in cgi mode).
     Closes: bug#606263.
 .
   [ Jonas Smedegaard ]
   * Unfuzz patches.
   * Ease building with git-buildpackage:
     + Add dpkg-source local-options.
     + Suppress .pc dir.
Checksums-Sha1: 
 42e8473e12972170daff503c4d136be36505ac16 2025 awstats_6.9.5~dfsg-5.dsc
 4af0a41e37919ea29b42100d73d6452dc384b893 40895 awstats_6.9.5~dfsg-5.debian.tar.gz
 aaf2d327dfdc82f82b2b896d532fad2e9d73a73d 988766 awstats_6.9.5~dfsg-5_all.deb
Checksums-Sha256: 
 6f9a5ce451a921d4a2bb0305e41a51012b4407daa86363bd5919b2695ea6dddf 2025 awstats_6.9.5~dfsg-5.dsc
 467d91b845f1dc28315016f1a49e67f1e671ac18ac94a3f92912c73a22547f76 40895 awstats_6.9.5~dfsg-5.debian.tar.gz
 92d08d1f534c1f1e3e01e2efa6147fd0d6935b0cd4a67d4fb2ceb5ae48ef5871 988766 awstats_6.9.5~dfsg-5_all.deb
Files: 
 e518d642125f5fb83d207318ac12b455 2025 web optional awstats_6.9.5~dfsg-5.dsc
 1af574ce572b4b38b98197bbd0d7dcda 40895 web optional awstats_6.9.5~dfsg-5.debian.tar.gz
 d20dc63484bdcae5314a2fc8ef79ed3a 988766 web optional awstats_6.9.5~dfsg-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJNE9kgAAoJECx8MUbBoAEhVJQQAIVmHPVrkH67UCN7DUieTJ9N
ftBTiWgamzXyxSTURdxbXbHjg/8AKD0QBHk+scW3NAlB8PrljAye0STjyDd6yoc/
PSaRmFJCj1+AxWECi/2t/WpA9RH04XZdGJGGIL49oYh28+AO4AvsrPB61hXhDaSL
aYU8Kqd+CidBQLMHthH1MLzkXlwwJUE1SQtDaFfEaAT6DobuaxAHQjEWfJKO4MKX
DYcvOpVS09AlSYcg9H8yvzQ9m2f0QvJL+Ez30s+wPyZJQq9XH34t+zZq/2xj0JVQ
d2AVDqXJRe34V+4XltUaqLrKQproyw+x/s4k738XXcC+koEg4wOM6Pca2kJIAQQk
G9BcJhGBuBQK1j0pjvAXMg+rkQ53kiE2k3hvZ9+mXWWJKfhl5HuEDDwFs006iM0P
fzk1KtVTaF6XRQMPz07ahEpinhBZm1t84oO67P3hpPXsvkfDe0mnbSdEaAR0lmEk
AtXElpaSdUTTdtIBnIxzn2xvGV9ousYboT4tyUfn6r3dtNFIXeTK3c49sWrHZ+th
/z4L59+AGtayfoJqYq4oUzHlvoZxFFuOT8si1lTJottDSGuktoP5TNH0pTplD+Fh
m30l2O7hUV9pHu2z0xGDvWFO9DWV9eHNR6nwGEgoogGFQH3YiGp1bl77iaPUUWsI
ZFgeaz4iz8sxKkdEmTGP
=IT//
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.