Your message dated Wed, 09 Nov 2005 22:17:08 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#322591: fixed in awstats 6.4-1sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Aug 2005 16:45:52 +0000
>From [EMAIL PROTECTED] Thu Aug 11 09:45:51 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail01.pironet-ndh.com (mail.pironet-ndh.com) [194.64.31.10]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E3GBj-00038Y-00; Thu, 11 Aug 2005 09:45:51 -0700
Received: from mail.fbn-dd.de (mail.fbn-dd.de [195.227.105.178])
by mail.pironet-ndh.com (Postfix) with ESMTP id A5E5B55E3D2;
Thu, 11 Aug 2005 18:45:19 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de
(192-168-0-1.transfer-000.intranet.fbn-dd.de [192.168.0.1])
by mail.fbn-dd.de (Postfix) with ESMTP
id 101A734ED5; Thu, 11 Aug 2005 18:44:57 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP
id 3D843203D9; Thu, 11 Aug 2005 18:44:56 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de (localhost [127.0.0.1])
by localhost (AvMailGate-2.0.1.16) id 18002-2E0CA844;
Thu, 11 Aug 2005 18:44:56 +0200
Received: from localhost.localdomain (10-28-130-200.intranet-28-130.fbn-dd.de
[10.28.130.200])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP
id 1290D203D9; Thu, 11 Aug 2005 18:44:56 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
id 0DF885B3A; Thu, 11 Aug 2005 18:44:56 +0200 (CEST)
Date: Thu, 11 Aug 2005 18:44:56 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: Debian BTS Submit <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: awstats: [CAN-2005-1527] arbitrary command injection
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.16; AVE: 6.31.1.0;
VDF: 6.31.1.97; host: sonne)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: awstats
Version: 6.4-1
Severity: grave
Tags: patch security
Hi!
awstats is vulnerable to a command injection flaw in crafted referer
URLs. Details are at:
http://www.idefense.com/application/poi/display?id=3D290&type=3Dvulnerabi=
lities
This is CAN-2005-1527, please mention it in the changelog.
You can get the Ubuntu patch from
http://patches.ubuntu.com/patches/awstats.CAN-2005-1527.diff
The patch is not really minimal since it replaces _all_ eval calls
with their equivalent, but faster and safer counterparts (soft
references), though. So if you prefer a minimal patch, this would be
it:
--- awstats-6.4/wwwroot/cgi-bin/awstats.pl 2005-08-11 18:20:39.000000000
+0=
200
+++ awstats-6.4.new/wwwroot/cgi-bin/awstats.pl 2005-08-11 18:21:14.00000000=
0 +0200
@@ -4838,8 +4856,10 @@
=20
# Call to plugins' function ShowInfoURL
foreach my $pluginname (keys %{$PluginsLoaded{'ShowInfoURL'}}) {
- my $function=3D"ShowInfoURL_$pluginname('$url')";
- eval("$function");
+# my $function=3D"ShowInfoURL_$pluginname('$url')";
+# eval("$function");
+ my $function=3D"ShowInfoURL_$pluginname";
+ &$function($url);
}
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC+4CIDecnbV4Fd/IRAg6SAKC1S5/PeccB5Ohtz9ibzZOQBvk4AwCfT1RQ
RUnNSEemMovd6/zBRAx2M+U=
=CAyZ
-----END PGP SIGNATURE-----
--2fHTh5uZTiUOsy+g--
---------------------------------------
Received: (at 322591-close) by bugs.debian.org; 10 Nov 2005 06:20:02 +0000
>From [EMAIL PROTECTED] Wed Nov 09 22:20:00 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Ea5kC-0003F5-6v; Wed, 09 Nov 2005 22:17:08 -0800
From: Jonas Smedegaard <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#322591: fixed in awstats 6.4-1sarge1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 09 Nov 2005 22:17:08 -0800
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: awstats
Source-Version: 6.4-1sarge1
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_6.4-1sarge1.diff.gz
to pool/main/a/awstats/awstats_6.4-1sarge1.diff.gz
awstats_6.4-1sarge1.dsc
to pool/main/a/awstats/awstats_6.4-1sarge1.dsc
awstats_6.4-1sarge1_all.deb
to pool/main/a/awstats/awstats_6.4-1sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Nov 2005 17:23:56 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.4-1sarge1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 322591
Changes:
awstats (6.4-1sarge1) stable-security; urgency=high
.
[ Charles Fry ]
* SECURITY UPDATE: Fix arbitrary command injection. (Closes: #322591)
Thanks to Martin Pitt for reporting the issue and providing the
patch.
* Add debian/patches/03_remove_eval.patch:
- Replace all eval() calls for dynamically constructed function
names with soft references. This fixes arbitrary command injection
with specially crafted referer URLs which contain Perl code.
- Patch taken from upstream CVS, and contained in 6.5 release.
* References:
CAN-2005-1527
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities
.
[ Jonas Smedegaard ]
* Adjust distribution.
Files:
82449cbf170952a0e5d31648c7943656 589 web optional awstats_6.4-1sarge1.dsc
056e6fb0c7351b17fe5bbbe0aa1297b1 918435 web optional awstats_6.4.orig.tar.gz
c4efeefcab00fdda3c53e74e32cc0aab 18257 web optional awstats_6.4-1sarge1.diff.gz
ed12fcb3a2a00b4f440dc9091a2ca78d 728430 web optional
awstats_6.4-1sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDciqvn7DbMsAkQLgRAs+QAJ0bbvOWdtFJoAU7MH16VzgUBjhQ/QCfYUMv
Yj8+aH2NkNCiaXD3wLiT5H0=
=R9YJ
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
