Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 6 Jan 2018 12:25:09 -0600
From: John Lightsey <jd@...nel.net>
To: oss-security@...ts.openwall.com, Hanno Böck
 <hanno@...eck.de>
Subject: Re: Path traversal flaws in awstats 7.6 and earlier.

On 1/6/18 3:33 AM, Hanno Böck wrote:
> On Wed, 27 Dec 2017 09:21:41 -0600
> John Lightsey <jd@...nel.net> wrote:
> 
>> The cPanel Security Team discovered two path traversal flaws in
>> awstats that could be leveraged for unauthenticated remote code
>> execution.
> 
> On
> https://awstats.sourceforge.io/#DOWNLOAD
> the latest version is still 7.6
> On the github repo you linked the latest version is 7.5.
> 
> Are you in contact with the developers? It's not exactly ideal that
> there's a publicly known remote code execution and there is no new
> release containing the fix.
> 

I'd agree with you there. Whenever we report security issues to upstream
developers, we have no control over the process they use to resolve the
issue.

In this case, the upstream author committed a partial fix to a public
repo soon after we reported the problem. In my view, whenever an
upstream author does this, you just consider the issue to be public
whether or not official releases or announcements have been made.

I'll pass your feedback along to the upstream author though.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ