USN-290-1: awstats vulnerability
Posted on: 06/08/2006 05:52 PM

A new awstats vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-290-1 June 08, 2006
awstats vulnerability
CVE-2006-2644
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
awstats 6.3-1ubuntu0.3

Ubuntu 5.10:
awstats 6.4-1ubuntu1.2

Ubuntu 6.06 LTS:
awstats 6.5-1ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Hendrik Weimer discovered a privilege escalation vulnerability in
awstats. By supplying the 'configdir' CGI parameter and setting it to
an attacker-controlled directory (such as an FTP account, /tmp, or
similar), an attacker could execute arbitrary shell commands with the
privileges of the web server (user 'www-data').

This update disables the 'configdir' parameter by default. If all
local user accounts can be trusted, it can be reenabled by running
awstats with the AWSTATS_ENABLE_CONFIG_DIR environment variable set to
a nonempty value.


Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubun=
tu0.3.diff.gz
Size/MD5: 25786 f0aff903ca34176072985eb0cc291093
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubun=
tu0.3.dsc
Size/MD5: 595 52ec6fc22747b67732f48d60adc0c187
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3.orig.=
tar.gz
Size/MD5: 938794 edb73007530a5800d53b9f1f90c88053

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubun=
tu0.3_all.deb
Size/MD5: 726624 c774701a596cf7b61d06861dd8c8471e

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubun=
tu1.2.diff.gz
Size/MD5: 18999 1523e09757b7de3c075bb86067f33445
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubun=
tu1.2.dsc
Size/MD5: 595 1433006e2e47ad101e2344967ab8c491
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4.orig.=
tar.gz
Size/MD5: 918435 056e6fb0c7351b17fe5bbbe0aa1297b1

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubun=
tu1.2_all.deb
Size/MD5: 728650 694410e8ed001ad701a91594685f8b8b

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubun=
tu1.1.diff.gz
Size/MD5: 18857 7ff1194a74691e801a3b7fee24776e19
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubun=
tu1.1.dsc
Size/MD5: 779 af43c7c831376f72803478265e3044fc
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5.orig.=
tar.gz
Size/MD5: 1051780 aef00b2ff5c5413bd2a868299cabd69a

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubun=
tu1.1_all.deb
Size/MD5: 853150 42f6fa26513e4ef65c9c30e01ad4e9c9


--pE2VAHO2njSJCslu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEiDUIDecnbV4Fd/IRAkZfAJ93sGRhaV32pH75v3NQ8vGageixXgCgseKH
rAaT2CUyNsvxlWKObnRQH14=
=Y2IW
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_290_1_awstats_vulnerability.html)