Date: Sat, 6 Jan 2018 12:25:09 -0600 From: John Lightsey <jd@...nel.net> To: oss-security@...ts.openwall.com, Hanno Böck <hanno@...eck.de> Subject: Re: Path traversal flaws in awstats 7.6 and earlier. On 1/6/18 3:33 AM, Hanno Böck wrote: > On Wed, 27 Dec 2017 09:21:41 -0600 > John Lightsey <jd@...nel.net> wrote: > >> The cPanel Security Team discovered two path traversal flaws in >> awstats that could be leveraged for unauthenticated remote code >> execution. > > On > https://awstats.sourceforge.io/#DOWNLOAD > the latest version is still 7.6 > On the github repo you linked the latest version is 7.5. > > Are you in contact with the developers? It's not exactly ideal that > there's a publicly known remote code execution and there is no new > release containing the fix. > I'd agree with you there. Whenever we report security issues to upstream developers, we have no control over the process they use to resolve the issue. In this case, the upstream author committed a partial fix to a public repo soon after we reported the problem. In my view, whenever an upstream author does this, you just consider the issue to be public whether or not official releases or announcements have been made. I'll pass your feedback along to the upstream author though. Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ