Your message dated Sat, 16 May 2026 11:07:42 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1132728,
regarding bookworm-pu: package awstats/7.8-3+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132728: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132728
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:awstats
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Severity: normal
[ Reason ]
This fixes CVE-2025-63261: AWStats 8.0 is vulnerable to Command
Injection via the open function.
[ Impact ]
In some situations, mostly concerning web hosting panels, a malicious
user with write privileges to the local filesystem may run arbitrary
commands, possibly as a different awstats system user.
[ Tests ]
I manually installed awstats on bookworm and ensured stats were still
correctly generated.
I installed and tested the same fix for trixie:
https://bugs.debian.org/1132727
The same fix was published to bullseye-lts and buster-elts last month,
no issues reported (DLA-4509-1, ELA-1662-1).
I ran common Debian tests through debusine:
https://debusine.debian.net/debian/developers/work-request/555885/
[ Risks ]
The fix is trivial and is a textbook example of insecure old-style Perl
open, causing confusion between a filename with a trailing '|' and a
request to pipe input from arbitrary commands:
https://perldoc.perl.org/functions/open#Specifying-mode-and-filename-as-a-single-argument
https://perldoc.perl.org/functions/open#Whitespace-and-special-characters-in-the-filename-argument
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Added CVE-2025-63261.patch with a one-liner fix.
diff -Nru awstats-7.8/debian/changelog awstats-7.8/debian/changelog
--- awstats-7.8/debian/changelog 2023-10-10 02:04:39.000000000 +0200
+++ awstats-7.8/debian/changelog 2026-04-04 19:47:59.000000000 +0200
@@ -1,3 +1,11 @@
+awstats (7.8-3+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2025-63261: Fix a command injection vulnerability caused by using
+ Perl's 2-argument open() function. (Closes: #1131878)
+
+ -- Sylvain Beucler <[email protected]> Sat, 04 Apr 2026 19:47:59 +0200
+
awstats (7.8-3+deb12u1) bookworm; urgency=medium
* Non-maintainer upload.
diff -Nru awstats-7.8/debian/patches/CVE-2025-63261.patch awstats-7.8/debian/patches/CVE-2025-63261.patch
--- awstats-7.8/debian/patches/CVE-2025-63261.patch 1970-01-01 01:00:00.000000000 +0100
+++ awstats-7.8/debian/patches/CVE-2025-63261.patch 2026-04-04 11:25:04.000000000 +0200
@@ -0,0 +1,21 @@
+From: Chris Lamb <[email protected]>
+Date: Wed, 25 Mar 2026 11:43:54 -0700
+Subject: CVE-2025-63261: Fix a command injection vulnerability caused by using Perl's 2-argument open() function.
+
+---
+ wwwroot/cgi-bin/awstats.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: awstats-7.8/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-7.8.orig/wwwroot/cgi-bin/awstats.pl
++++ awstats-7.8/wwwroot/cgi-bin/awstats.pl
+@@ -7572,7 +7572,7 @@ sub Read_DNS_Cache {
+ LoadCache_hashfiles( $filetoload, $hashtoload );
+ }
+ if ( !scalar keys %$hashtoload ) {
+- open( DNSFILE, "$filetoload" )
++ open( DNSFILE, "<", $filetoload )
+ or error("Couldn't open DNS Cache file \"$filetoload\": $!");
+
+ #binmode DNSFILE; # If we set binmode here, it seems that the load is broken on ActiveState 5.8
diff -Nru awstats-7.8/debian/patches/series awstats-7.8/debian/patches/series
--- awstats-7.8/debian/patches/series 2023-07-08 02:47:02.000000000 +0200
+++ awstats-7.8/debian/patches/series 2026-04-04 11:24:43.000000000 +0200
@@ -12,3 +12,4 @@
2009_googlesearch.patch
0013-Only-look-for-configuration-in-dedicated-awstats-dir.patch
fix-cross-site-scripting.patch
+CVE-2025-63261.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
