MDVSA-2011:033

Package name

awstats

Date

2011-02-21

Advisory ID

MDVSA-2011:033

Affected versions

MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in awstats:

awstats.cgi in AWStats before 7.0 accepts a configdir parameter in
the URL, which allows remote attackers to execute arbitrary commands
via a crafted configuration file located on a (1) WebDAV server or
(2) NFS server (CVE-2010-4367).

Directory traversal vulnerability in AWStats before 7.0 allows remote
attackers to have an unspecified impact via a crafted LoadPlugin
directory (CVE-2010-4369).

The updated packages have been upgraded to the latest version to
address these vulnerabilities.

Updated packages

MES5 i586

 006f905c739b9fd43f45f78f87f92b7e  mes5/i586/awstats-7.0-0.1mdvmes5.1.noarch.rpm 
 cbf5e862976dd286496f051e003bc0d9  mes5/SRPMS/awstats-7.0-0.1mdvmes5.1.src.rpm

MES5 x86_64

 ac591360801eef3536167912e2a26b65  mes5/x86_64/awstats-7.0-0.1mdvmes5.1.noarch.rpm 
 cbf5e862976dd286496f051e003bc0d9  mes5/SRPMS/awstats-7.0-0.1mdvmes5.1.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4369
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4367