Bug#1025710: bullseye-pu: package awstats/7.8-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: awstats@packages.debian.org, carnil@debian.org
Control: affects -1 + src:awstats
Hi Stable release managers,
awstats is prone to a XSS vulnerability, but it does not warrant a
DSA. Following the QA upload to unstable (which should migrate in two
days), I would like to propose the change as well for stable and have
it included in the next point release.
CVE-2022-46391 is assigned to the issue (Cf. #1025410)
https://github.com/eldy/AWStats/pull/226
[ Impact ]
Issue remains open, but might be cherry-picked as well for furture
upload via security or in the next point release.
[ Tests ]
None specific
[ Risks ]
It is a targetted fix for the reporte XSS vulnerability.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* fix cross site scripting (CVE-2022-46391) (Closes: #1025410)
[ Other info ]
Nothing I'm aware of.
Regards,
Salvatore
diff -Nru awstats-7.8/debian/changelog awstats-7.8/debian/changelog
--- awstats-7.8/debian/changelog 2021-02-02 08:56:57.000000000 +0100
+++ awstats-7.8/debian/changelog 2022-12-07 21:47:25.000000000 +0100
@@ -1,3 +1,10 @@
+awstats (7.8-2+deb11u1) bullseye; urgency=medium
+
+ * QA upload.
+ * fix cross site scripting (CVE-2022-46391) (Closes: #1025410)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 07 Dec 2022 21:47:25 +0100
+
awstats (7.8-2) unstable; urgency=high
* QA upload.
diff -Nru awstats-7.8/debian/patches/fix-cross-site-scripting.patch awstats-7.8/debian/patches/fix-cross-site-scripting.patch
--- awstats-7.8/debian/patches/fix-cross-site-scripting.patch 1970-01-01 01:00:00.000000000 +0100
+++ awstats-7.8/debian/patches/fix-cross-site-scripting.patch 2022-12-07 21:47:25.000000000 +0100
@@ -0,0 +1,29 @@
+From: rekter0 <58881147+rekter0@users.noreply.github.com>
+Date: Mon, 7 Nov 2022 15:12:03 +0100
+Subject: fix cross site scripting
+Origin: https://github.com/eldy/AWStats/commit/38682330e1ec3f3af95f9436640358b2d9e4a965
+Bug: https://github.com/eldy/AWStats/pull/226
+Bug-Debian: https://bugs.debian.org/1025410
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-46391
+
+xss due to printing response from Net::XWhois without proper checks
+---
+ wwwroot/cgi-bin/plugins/hostinfo.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/wwwroot/cgi-bin/plugins/hostinfo.pm b/wwwroot/cgi-bin/plugins/hostinfo.pm
+index 95b2c20b7b91..1f0ac699459d 100644
+--- a/wwwroot/cgi-bin/plugins/hostinfo.pm
++++ b/wwwroot/cgi-bin/plugins/hostinfo.pm
+@@ -181,7 +181,7 @@ sub BuildFullHTMLOutput_hostinfo {
+
+ &tab_head("Full Whois Field",0,0,'whois');
+ if ($w && $w->response()) {
+- print "<tr><td class=\"aws\"><pre>".($w->response())."</pre></td></tr>\n";
++ print "<tr><td class=\"aws\"><pre>".CleanXSS($w->response())."</pre></td></tr>\n";
+ }
+ else {
+ print "<tr><td><br />The Whois command failed.<br />Did the server running AWStats is allowed to send WhoIs queries (If a firewall is running, port 43 should be opened from inside to outside) ?<br /><br /></td></tr>\n";
+--
+2.38.1
+
diff -Nru awstats-7.8/debian/patches/series awstats-7.8/debian/patches/series
--- awstats-7.8/debian/patches/series 2021-02-02 08:56:57.000000000 +0100
+++ awstats-7.8/debian/patches/series 2022-12-07 21:47:25.000000000 +0100
@@ -11,3 +11,4 @@
2008_twitter.patch
2009_googlesearch.patch
0013-Only-look-for-configuration-in-dedicated-awstats-dir.patch
+fix-cross-site-scripting.patch
Reply to: