Changelog
awstats (7.6+dfsg-2+deb10u1) buster; urgency=medium
* QA upload.
* CVE-2020-29600: cgi-bin/awstats.pl?config= accepts an absolute
pathname, even though it was intended to only read a file in the
/etc/awstats/awstats.conf format. NOTE: this issue exists because of
an incomplete fix for CVE-2017-1000501. Closes: #891469
* CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config=
accepts a partial absolute pathname (omitting the initial /etc), even
though it was intended to only read a file in the
/etc/awstats/awstats.conf format. NOTE: this issue exists because of
an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Closes: #977190
-- HÃ¥vard Flaget Aasen <email address hidden> Tue, 02 Feb 2021 09:35:23 +0100