Bug#1025410: marked as done (awstats: CVE-2022-46391: XSS due to printing response from Net::XWhois without proper checks)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 04 Dec 2022 20:34:40 +0000
with message-id <E1p1vhA-003v5M-93@fasolo.debian.org>
and subject line Bug#1025410: fixed in awstats 7.8-3
has caused the Debian Bug report #1025410,
regarding awstats: CVE-2022-46391: XSS due to printing response from Net::XWhois without proper checks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1025410: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025410
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: awstats: CVE-2022-46391: XSS due to printing response from Net::XWhois without proper checks
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 04 Dec 2022 10:29:18 +0100
• Message-id: <[🔎] 167014615832.844498.11377750902686737600.reportbug@eldamar.lan>

Source: awstats
Version: 7.8-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/eldy/AWStats/pull/226
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for awstats.

CVE-2022-46391[0]:
| AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to
| printing a response from Net::XWhois without proper checks.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-46391
    https://www.cve.org/CVERecord?id=CVE-2022-46391
[1] https://github.com/eldy/AWStats/pull/226

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1025410-close@bugs.debian.org
• Subject: Bug#1025410: fixed in awstats 7.8-3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 04 Dec 2022 20:34:40 +0000
• Message-id: <E1p1vhA-003v5M-93@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: awstats
Source-Version: 7.8-3
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1025410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 04 Dec 2022 20:52:31 +0100
Source: awstats
Architecture: source
Version: 7.8-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1025410
Changes:
 awstats (7.8-3) unstable; urgency=medium
 .
   * QA upload.
 .
   [ Debian Janitor ]
   * Bump debhelper from old 12 to 13.
   * Avoid invoking dpkg-parsechangelog.
 .
   [ Salvatore Bonaccorso ]
   * fix cross site scripting (CVE-2022-46391) (Closes: #1025410)
Checksums-Sha1: 
 fd1cb62ef07e8c0d449641ee85dfe6dadf7bb945 1989 awstats_7.8-3.dsc
 0bce1381e702ed768a7512be365e763b6ca86319 37740 awstats_7.8-3.debian.tar.xz
Checksums-Sha256: 
 6c4714b2fe86c072114bcd582586dc8b7089360c0d6a93d9eae7c779415d46f1 1989 awstats_7.8-3.dsc
 ebeeabfa6bca4834262751d9ff4794c5f93cb0f24aea1b851f6fed89f8c44017 37740 awstats_7.8-3.debian.tar.xz
Files: 
 bddd612233834eceb06e0db1ac21cb23 1989 web optional awstats_7.8-3.dsc
 e419440cea2cc21f9c0309cfee6d9560 37740 web optional awstats_7.8-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOM/MVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHeUP/34rf3ihPSqqSQfWyovHr0KKVOs5SBLF
wjWYJ/gY2hRzb+Po4NCYjYE6ND2+d72Q+r7B4u6yE6/O8N6uP6w+OJDkHTWiFedO
dOFhlrV8oEo0cH/OehTiru8fh85fbhwb/001kZ/dNsurqJh98xeJV18gpVGI+0Pc
h3v7ciGgk/SD51RMVHAErggPnMwWO112cnNhqXWYYGg3s3uKMVUEaNUh17aiySqR
HuoIJq28Djn52YwTI+TQIhmgzftRJdEU+c6NDWswz6u9DIbpVDahG7F/jMeeNu4w
H3JoXLd2FJJgCbsJZVx2LNeib2E1f3zQRdVxdxcGkKHhy20w27vQJtqv/PUst3uP
rz47PfBSKpOLGDprcpJN04PaWvRtq+Hse+j4exHKDhBuB1x159qRTG43/A49cWvc
FBPzMmQMuy+ZMZn+VrnPFXkaRyEdmM8iI6STUTXqkKyXLM/p5tP5HEHEgClF+wJw
xL1/ecfyEYSz8eYK6pDTDpjpi7dtvv7a9q+2rNNmFry6fN9D5gEt+I0k8hCDhitL
8gGOc3+8SovUIkYbBYsxMvxSG3xwxqHrF7PMqF5Zqd2sJp2/cMJ+oSpUY4tzzH7N
bqaQ8vTsJ29t2ZZHulZ0/M7OAwDKgcmR3kHi8m71etCvRHbs3X3S9eRypEJlpwOd
wFlmjmMeuhij
=E4yc
-----END PGP SIGNATURE-----

--- End Message ---