drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in awstats
Name: |
Ausführen beliebiger Kommandos in awstats |
|
ID: |
USN-285-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 5.04, Ubuntu 5.10 |
|
Datum: |
Di, 23. Mai 2006, 09:52 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2237 |
|
Applikationen: |
awstats |
|
Originalnachricht |
--===============1787591492== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SkvwRMAIpAhPCcCJ" Content-Disposition: inline
--SkvwRMAIpAhPCcCJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
=========================================================== Ubuntu Security Notice USN-285-1 May 23, 2006 awstats vulnerability CVE-2006-2237 ===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
awstats
The problem can be corrected by upgrading the affected package to version 6.3-1ubuntu0.2 (for Ubuntu 5.04), or 6.4-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.
Details follow:
AWStats did not properly sanitize the 'migrate' CGI parameter. If the update of the stats via web front-end is allowed, a remote attacker could execute arbitrary commands on the server with the privileges of the AWStats server.
This does not affect AWStats installations which only build static pages.
Updated packages for Ubuntu 5.04:
Source archives:
awstats_6.3-1ubuntu0.2.diff.gz Size/MD5: 25306 1f013ca8aaad65d8f3ae148e194b3551 awstats_6.3-1ubuntu0.2.dsc Size/MD5: 595 46a103a327e1f1bad3876927c7e66198 awstats_6.3.orig.tar.gz Size/MD5: 938794 edb73007530a5800d53b9f1f90c88053
Architecture independent packages:
awstats_6.3-1ubuntu0.2_all.deb Size/MD5: 726430 728ee50f468a4cf3693a32b98c94b455
Updated packages for Ubuntu 5.10:
Source archives:
awstats_6.4-1ubuntu1.1.diff.gz Size/MD5: 18541 e186b842fbd2d4d97b65eacf7c9c1295 awstats_6.4-1ubuntu1.1.dsc Size/MD5: 595 c5784c2c1bfa002abbfa77d936bc2da5 awstats_6.4.orig.tar.gz Size/MD5: 918435 056e6fb0c7351b17fe5bbbe0aa1297b1
Architecture independent packages:
awstats_6.4-1ubuntu1.1_all.deb Size/MD5: 728490 60ca39a436e3a21a838560db5d8a5f3b
--SkvwRMAIpAhPCcCJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEcrhmDecnbV4Fd/IRArEfAKD/FxV3pbdojT3O35ISbRigCp5OPwCg/KwA iIVTB7Svt6dBrKeh+eZvdEQ= =gDyg -----END PGP SIGNATURE-----
--SkvwRMAIpAhPCcCJ--
--===============1787591492== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============1787591492==--
|
|
|
|