[USN-686-1] AWStats vulnerability

Kees Cook kees at ubuntu.com
Thu Dec 4 00:16:57 GMT 2008


===========================================================
Ubuntu Security Notice USN-686-1          December 04, 2008
awstats vulnerability
CVE-2008-3714
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  awstats                         6.5-1ubuntu1.3

Ubuntu 7.10:
  awstats                         6.6+dfsg-1ubuntu0.1

Ubuntu 8.04 LTS:
  awstats                         6.7.dfsg-1ubuntu0.1

Ubuntu 8.10:
  awstats                         6.7.dfsg-5ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Morgan Todd discovered that AWStats did not correctly strip quotes from
certain parameters, allowing for an XSS attack when running as a CGI.
If a user was tricked by a remote attacker into following a specially
crafted URL, the user's authentication information could be exposed for
the domain where AWStats was hosted.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3.diff.gz
      Size/MD5:    20231 02f6d6768115e61ecf3cb347e20a4d6b
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3.dsc
      Size/MD5:      823 0acdf09ceaa643749b1d42a48b01a753
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5.orig.tar.gz
      Size/MD5:  1051780 aef00b2ff5c5413bd2a868299cabd69a

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3_all.deb
      Size/MD5:   853248 3b839bfdfce5331f902838694df21039

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1.diff.gz
      Size/MD5:    20242 b0b2a251637b40ba30f2916b45629f33
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1.dsc
      Size/MD5:      915 ca6ded2a6d1fe2175d01d996b0e3f590
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg.orig.tar.gz
      Size/MD5:  1073578 6887d3f49de4f50830c0940041200632

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1_all.deb
      Size/MD5:   898120 cc9aa605fbe5455b2c0681ee4f3c7af1

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1.diff.gz
      Size/MD5:    23385 ab783d7817033c0240920e0d4aa6637c
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1.dsc
      Size/MD5:     1017 1e66b61f4a072905ab5039c9211fc7c8
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg.orig.tar.gz
      Size/MD5:  1093568 98a5fad9c379ac4884d7af90db6e087b

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1_all.deb
      Size/MD5:   907832 a7c108e27112aa3ef21df347302dce36

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1.diff.gz
      Size/MD5:    28889 57d485dea3b40aadc924c81fa67666e4
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1.dsc
      Size/MD5:     1530 c6dae34e2a0ac2d7036e45257e62f122
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg.orig.tar.gz
      Size/MD5:  1093568 98a5fad9c379ac4884d7af90db6e087b

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1_all.deb
      Size/MD5:   908744 ca2b119c43f0943d1763348e10a599c6

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20081203/13c10d12/attachment-0001.pgp 


More information about the ubuntu-security-announce mailing list