Update awstats to 7.9

radexspox · May 31, 2024, 4:57pm

Hello,

it is possible to update awstats to 7.9 which fixes #195/CVE-2020-35176

sahsanu · May 31, 2024, 5:37pm

Hestia uses the package included in Debian/Ubuntu and those vulnerabilities are fixed in 7.8.x

Example in Debian 12

awstats (7.8-2) unstable; urgency=high

  * QA upload.
  * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config=
    accepts a partial absolute pathname (omitting the initial /etc), even
    though it was intended to only read a file in the
    /etc/awstats/awstats.conf format. NOTE: this issue exists because of
    an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
    Closes: #977190

 -- Håvard Flaget Aasen <[email protected]>  Tue, 02 Feb 2021 08:56:57 +0100

You can check it with this command:

apt changelog awstats

radexspox · May 31, 2024, 5:46pm

I see, but these are only bug fixes, no feature updates for new OS etc. AWStats is completly outdated and development is dead.

sahsanu · May 31, 2024, 6:16pm

Again, Hestia uses the package included in the OS, if the OS doesn’t update it, it won’t be updated.

radexspox · May 31, 2024, 6:17pm

Again, its still outdated even in the OS.

sahsanu · May 31, 2024, 6:22pm

I don’t know how to say it, if you want to use the last awstats version that is not included neither in latest Debian 12 nor Ubuntu 22.04, then you should remove the awstats package and install it on your own from other sources but keep in mind that you won’t get support from Hestia.

radexspox · May 31, 2024, 6:24pm

i think that my live will continue normally, even without hestia support

system · June 30, 2024, 6:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.