About Ubuntu

=========================================================== Ubuntu Security Notice USN-360-1 October 10, 2006 awstats vulnerabilities CVE-2006-3681, CVE-2006-3682 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: awstats 6.3-1ubuntu0.4 Ubuntu 5.10: awstats 6.4-1ubuntu1.3 Ubuntu 6.06 LTS: awstats 6.5-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: awstats did not fully sanitize input, which was passed directly to the user's browser, allowing for an XSS attack. If a user was tricked into following a specially crafted awstats URL, the user's authentication information could be exposed for the domain where awstats was hosted. (CVE-2006-3681) awstats could display its installation path under certain conditions. However, this might only become a concern if awstats is installed into an user's home directory. (CVE-2006-3682)