Unknown security issue mentioned in 7.8 changelog

eldy / AWStats

AWStats Log Analyzer project (official sources)

https://www.awstats.org

374 stars 120 forks source link

Unknown security issue mentioned in 7.8 changelog #192

Closed Beuc closed 3 years ago

Beuc commented 3 years ago

Hi,

Looking at: https://www.awstats.org/docs/awstats_changelog.txt I see for 7.8 (second-to-last entry):

Fix another vulnerability reported by cPanel Security Team (can execute arbitraty code)

Is this a new vulnerability fixed in 7.8? Or is this a wrong copy/paste from 06c0ab29c1e5059d9e0279c6b64d573d619e1651 (of CVE-2017-1000501 / 7.7 )? Or is this a reference to #90 and its complementary fix?

Thanks for your work on awstats.

mchubby commented 3 years ago

It's probably CVE-2020-29600 / CVE-2020-35176 (config parameter) that are related to CVE-2017-1000501 that was deemed to be incomplete.

Beuc commented 3 years ago

I believe this is a just a bad git-log import. I opened this issue to clarify, but it is now causing more confusion, so let's close this.