Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 6 Jan 2018 12:25:09 -0600
From: John Lightsey <jd@...nel.net>
To: oss-security@...ts.openwall.com, Hanno Böck
 <hanno@...eck.de>
Subject: Re: Path traversal flaws in awstats 7.6 and earlier.

On 1/6/18 3:33 AM, Hanno Böck wrote:
> On Wed, 27 Dec 2017 09:21:41 -0600
> John Lightsey <jd@...nel.net> wrote:
> 
>> The cPanel Security Team discovered two path traversal flaws in
>> awstats that could be leveraged for unauthenticated remote code
>> execution.
> 
> On
> https://awstats.sourceforge.io/#DOWNLOAD
> the latest version is still 7.6
> On the github repo you linked the latest version is 7.5.
> 
> Are you in contact with the developers? It's not exactly ideal that
> there's a publicly known remote code execution and there is no new
> release containing the fix.
> 

I'd agree with you there. Whenever we report security issues to upstream
developers, we have no control over the process they use to resolve the
issue.

In this case, the upstream author committed a partial fix to a public
repo soon after we reported the problem. In my view, whenever an
upstream author does this, you just consider the issue to be public
whether or not official releases or announcements have been made.

I'll pass your feedback along to the upstream author though.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.