Date: Sun, 7 Jan 2018 04:32:32 +0100 From: Stefan Pietsch <s.pietsch@...ecurity.de> To: oss-security@...ts.openwall.com, Hanno Böck <hanno@...eck.de>, John Lightsey <jd@...nel.net> Subject: Re: Path traversal flaws in awstats 7.6 and earlier. On 06.01.2018 10:33, Hanno Böck wrote: >> The cPanel Security Team discovered two path traversal flaws in >> awstats that could be leveraged for unauthenticated remote code >> execution. > > On > https://awstats.sourceforge.io/#DOWNLOAD > the latest version is still 7.6 > On the github repo you linked the latest version is 7.5. The awstats GitHub page has version 7.6: https://github.com/eldy/awstats/tags > Are you in contact with the developers? It's not exactly ideal that > there's a publicly known remote code execution and there is no new > release containing the fix. By not releasing a new version of awstats it gets unnecessarily difficult to track the fix in distributions. The author has proven that he is not able to handle security issues well when I contacted him last year. (https://github.com/Dolibarr/dolibarr/issues/6504) On the project's security page there is no update so far: http://www.awstats.org/awstats_security_news.php Regards, Stefan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ