Bug 540404

Summary: Awstats: awredir.pl - require security key by default and enhance security of parameter sanitizing function
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, gauret
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://awstats.sourceforge.net/docs/awstats_changelog.txt
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-22 18:53:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-11-23 10:10:34 UTC 
Advanced Web Statistics (awstat) upstream has released new (6.95) version, addressing two security related issues. Quoting from awstats Changelog:

- Fix security in awredir.pl script by adding a security key required by
  default.
- Enhance security of parameter sanitizing function.

CVE Request:
------------
http://www.openwall.com/lists/oss-security/2009/11/22/1
Comment 1 Jan Lieskovsky 2009-11-23 10:13:10 UTC 
These issues affect the versions of the awstats package, as shipped 
with Fedora releases of 10, 11, 12 and probably also as shipped
with Extra Packages for Enterprise Linux 5 (EPEL-5) project.

Please upgrade to new version.
Comment 2 Fedora Update System 2009-11-26 05:49:28 UTC 
awstats-6.95-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/awstats-6.95-1.fc12
Comment 3 Fedora Update System 2009-12-01 04:23:55 UTC 
awstats-6.95-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.