Package: awstats Version: 6.4-1 Severity: grave Tags: patch security Hi!
awstats is vulnerable to a command injection flaw in crafted referer URLs. Details are at: http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities This is CAN-2005-1527, please mention it in the changelog. You can get the Ubuntu patch from http://patches.ubuntu.com/patches/awstats.CAN-2005-1527.diff The patch is not really minimal since it replaces _all_ eval calls with their equivalent, but faster and safer counterparts (soft references), though. So if you prefer a minimal patch, this would be it: --- awstats-6.4/wwwroot/cgi-bin/awstats.pl 2005-08-11 18:20:39.000000000 +0200 +++ awstats-6.4.new/wwwroot/cgi-bin/awstats.pl 2005-08-11 18:21:14.000000000 +0200 @@ -4838,8 +4856,10 @@ # Call to plugins' function ShowInfoURL foreach my $pluginname (keys %{$PluginsLoaded{'ShowInfoURL'}}) { - my $function="ShowInfoURL_$pluginname('$url')"; - eval("$function"); +# my $function="ShowInfoURL_$pluginname('$url')"; +# eval("$function"); + my $function="ShowInfoURL_$pluginname"; + &$function($url); } -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org
signature.asc
Description: Digital signature
