-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2506-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ December 23, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : awstats Version : 7.6+dfsg-1+deb9u2 CVE ID : CVE-2020-29600 CVE-2020-35176 Debian Bug : 891469 977190 It was discovered that Awstats, a web server log analyzer, was vulnerable to path traversal attacks. A remote unauthenticated attacker could leverage that to perform arbitrary code execution. The previous fix did not fully address the issue when the default /etc/awstats/awstats.conf is not present. For Debian 9 stretch, this problem has been fixed in version 7.6+dfsg-1+deb9u2. We recommend that you upgrade your awstats packages. For the detailed security status of awstats please refer to its security tracker page at: https://security-tracker.debian.org/tracker/awstats Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/jXPMACgkQj/HLbo2J BZ8ffQf/S9j+l7tp4Fr1YLM5ay6+KnE4R990cqE4SeoWdlPFRE+LWsvEB99wjCcq Vu96Iirug69cgguN/nIxl+TiD4mp3Udv7uqFshyGl1N2vDV1c4/0U3B7rvYseboe TefuqBTNtzQGDZWDnddZx/1mM1INifNw06ZFjx2SNolgXvtsbt1vBaj/9lFVfYor DX3BatpUVe/+V9Idm4bOsObvyWFJzars2UeGaTrzVAI7JGP8RlrETGBh99CnPfmX zot9Tm45o+wuQUHIJ/uETVxoggjJ6pu1pmvYNQTVyLY/gYL2s0qZ0Xc8yFZ5t+nb fYf/Qdgv0MRnnS09PcUf9t9AXU7hUw== =lkgC -----END PGP SIGNATURE-----