[USN-686-1] AWStats vulnerability
Date: Wed, 3 Dec 2008 16:16:57 -0800
From: Kees Cook <kees@ubuntu.com.>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-686-1] AWStats vulnerability
Message-ID: <20081204001657.GV25309@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="LTeJQqWS0MN7I/qa"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.63 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--LTeJQqWS0MN7I/qa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-686-1 December 04, 2008
awstats vulnerability
CVE-2008-3714
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
awstats 6.5-1ubuntu1.3
Ubuntu 7.10:
awstats 6.6+dfsg-1ubuntu0.1
Ubuntu 8.04 LTS:
awstats 6.7.dfsg-1ubuntu0.1
Ubuntu 8.10:
awstats 6.7.dfsg-5ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Morgan Todd discovered that AWStats did not correctly strip quotes from
certain parameters, allowing for an XSS attack when running as a CGI.
If a user was tricked by a remote attacker into following a specially
crafted URL, the user's authentication information could be exposed for
the domain where AWStats was hosted.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3.diff.gz
Size/MD5: 20231 02f6d6768115e61ecf3cb347e20a4d6b
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3.dsc
Size/MD5: 823 0acdf09ceaa643749b1d42a48b01a753
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5.orig.tar.gz
Size/MD5: 1051780 aef00b2ff5c5413bd2a868299cabd69a
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3_all.deb
Size/MD5: 853248 3b839bfdfce5331f902838694df21039
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1.diff.gz
Size/MD5: 20242 b0b2a251637b40ba30f2916b45629f33
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1.dsc
Size/MD5: 915 ca6ded2a6d1fe2175d01d996b0e3f590
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg.orig.tar.gz
Size/MD5: 1073578 6887d3f49de4f50830c0940041200632
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1_all.deb
Size/MD5: 898120 cc9aa605fbe5455b2c0681ee4f3c7af1
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1.diff.gz
Size/MD5: 23385 ab783d7817033c0240920e0d4aa6637c
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1.dsc
Size/MD5: 1017 1e66b61f4a072905ab5039c9211fc7c8
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg.orig.tar.gz
Size/MD5: 1093568 98a5fad9c379ac4884d7af90db6e087b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1_all.deb
Size/MD5: 907832 a7c108e27112aa3ef21df347302dce36
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1.diff.gz
Size/MD5: 28889 57d485dea3b40aadc924c81fa67666e4
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1.dsc
Size/MD5: 1530 c6dae34e2a0ac2d7036e45257e62f122
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg.orig.tar.gz
Size/MD5: 1093568 98a5fad9c379ac4884d7af90db6e087b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1_all.deb
Size/MD5: 908744 ca2b119c43f0943d1763348e10a599c6
--LTeJQqWS0MN7I/qa
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net.>
iEYEARECAAYFAkk3IXgACgkQH/9LqRcGPm1eYQCfTwnOiM5ThYt+7ncmmgzkvJyk
8d4An1MQCpwf5EejNBnz/9IC8PZ0ZcEA
=MXD7
-----END PGP SIGNATURE-----
--LTeJQqWS0MN7I/qa--
