Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:awstats
Hi Stable release managers, awstats is prone to a XSS vulnerability, but it does not warrant a DSA. Following the QA upload to unstable (which should migrate in two days), I would like to propose the change as well for stable and have it included in the next point release. CVE-2022-46391 is assigned to the issue (Cf. #1025410) https://github.com/eldy/AWStats/pull/226 [ Impact ] Issue remains open, but might be cherry-picked as well for furture upload via security or in the next point release. [ Tests ] None specific [ Risks ] It is a targetted fix for the reporte XSS vulnerability. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * fix cross site scripting (CVE-2022-46391) (Closes: #1025410) [ Other info ] Nothing I'm aware of. Regards, Salvatore
diff -Nru awstats-7.8/debian/changelog awstats-7.8/debian/changelog --- awstats-7.8/debian/changelog 2021-02-02 08:56:57.000000000 +0100 +++ awstats-7.8/debian/changelog 2022-12-07 21:47:25.000000000 +0100 @@ -1,3 +1,10 @@ +awstats (7.8-2+deb11u1) bullseye; urgency=medium + + * QA upload. + * fix cross site scripting (CVE-2022-46391) (Closes: #1025410) + + -- Salvatore Bonaccorso <[email protected]> Wed, 07 Dec 2022 21:47:25 +0100 + awstats (7.8-2) unstable; urgency=high * QA upload. diff -Nru awstats-7.8/debian/patches/fix-cross-site-scripting.patch awstats-7.8/debian/patches/fix-cross-site-scripting.patch --- awstats-7.8/debian/patches/fix-cross-site-scripting.patch 1970-01-01 01:00:00.000000000 +0100 +++ awstats-7.8/debian/patches/fix-cross-site-scripting.patch 2022-12-07 21:47:25.000000000 +0100 @@ -0,0 +1,29 @@ +From: rekter0 <[email protected]> +Date: Mon, 7 Nov 2022 15:12:03 +0100 +Subject: fix cross site scripting +Origin: https://github.com/eldy/AWStats/commit/38682330e1ec3f3af95f9436640358b2d9e4a965 +Bug: https://github.com/eldy/AWStats/pull/226 +Bug-Debian: https://bugs.debian.org/1025410 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-46391 + +xss due to printing response from Net::XWhois without proper checks +--- + wwwroot/cgi-bin/plugins/hostinfo.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/wwwroot/cgi-bin/plugins/hostinfo.pm b/wwwroot/cgi-bin/plugins/hostinfo.pm +index 95b2c20b7b91..1f0ac699459d 100644 +--- a/wwwroot/cgi-bin/plugins/hostinfo.pm ++++ b/wwwroot/cgi-bin/plugins/hostinfo.pm +@@ -181,7 +181,7 @@ sub BuildFullHTMLOutput_hostinfo { + + &tab_head("Full Whois Field",0,0,'whois'); + if ($w && $w->response()) { +- print "<tr><td class=\"aws\"><pre>".($w->response())."</pre></td></tr>\n"; ++ print "<tr><td class=\"aws\"><pre>".CleanXSS($w->response())."</pre></td></tr>\n"; + } + else { + print "<tr><td><br />The Whois command failed.<br />Did the server running AWStats is allowed to send WhoIs queries (If a firewall is running, port 43 should be opened from inside to outside) ?<br /><br /></td></tr>\n"; +-- +2.38.1 + diff -Nru awstats-7.8/debian/patches/series awstats-7.8/debian/patches/series --- awstats-7.8/debian/patches/series 2021-02-02 08:56:57.000000000 +0100 +++ awstats-7.8/debian/patches/series 2022-12-07 21:47:25.000000000 +0100 @@ -11,3 +11,4 @@ 2008_twitter.patch 2009_googlesearch.patch 0013-Only-look-for-configuration-in-dedicated-awstats-dir.patch +fix-cross-site-scripting.patch
