=========================================================== Ubuntu Security Notice USN-686-1 December 04, 2008 awstats vulnerability CVE-2008-3714 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: awstats 6.5-1ubuntu1.3 Ubuntu 7.10: awstats 6.6+dfsg-1ubuntu0.1 Ubuntu 8.04 LTS: awstats 6.7.dfsg-1ubuntu0.1 Ubuntu 8.10: awstats 6.7.dfsg-5ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Morgan Todd discovered that AWStats did not correctly strip quotes from certain parameters, allowing for an XSS attack when running as a CGI. If a user was tricked by a remote attacker into following a specially crafted URL, the user's authentication information could be exposed for the domain where AWStats was hosted. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3.diff.gz Size/MD5: 20231 02f6d6768115e61ecf3cb347e20a4d6b http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3.dsc Size/MD5: 823 0acdf09ceaa643749b1d42a48b01a753 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5.orig.tar.gz Size/MD5: 1051780 aef00b2ff5c5413bd2a868299cabd69a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.3_all.deb Size/MD5: 853248 3b839bfdfce5331f902838694df21039 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1.diff.gz Size/MD5: 20242 b0b2a251637b40ba30f2916b45629f33 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1.dsc Size/MD5: 915 ca6ded2a6d1fe2175d01d996b0e3f590 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg.orig.tar.gz Size/MD5: 1073578 6887d3f49de4f50830c0940041200632 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.6+dfsg-1ubuntu0.1_all.deb Size/MD5: 898120 cc9aa605fbe5455b2c0681ee4f3c7af1 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1.diff.gz Size/MD5: 23385 ab783d7817033c0240920e0d4aa6637c http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1.dsc Size/MD5: 1017 1e66b61f4a072905ab5039c9211fc7c8 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg.orig.tar.gz Size/MD5: 1093568 98a5fad9c379ac4884d7af90db6e087b Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-1ubuntu0.1_all.deb Size/MD5: 907832 a7c108e27112aa3ef21df347302dce36 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1.diff.gz Size/MD5: 28889 57d485dea3b40aadc924c81fa67666e4 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1.dsc Size/MD5: 1530 c6dae34e2a0ac2d7036e45257e62f122 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg.orig.tar.gz Size/MD5: 1093568 98a5fad9c379ac4884d7af90db6e087b Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.7.dfsg-5ubuntu0.1_all.deb Size/MD5: 908744 ca2b119c43f0943d1763348e10a599c6
Attachment:
signature.asc
Description: Digital signature