Bug#1025410: marked as done (awstats: CVE-2022-46391: XSS due to printing response from Net::XWhois without proper checks)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 09 Dec 2022 19:52:56 +0000
with message-id <E1p3jQW-00DBLb-6d@fasolo.debian.org>
and subject line Bug#1025410: fixed in awstats 7.8-2+deb11u1
has caused the Debian Bug report #1025410,
regarding awstats: CVE-2022-46391: XSS due to printing response from Net::XWhois without proper checks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1025410: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025410
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: awstats: CVE-2022-46391: XSS due to printing response from Net::XWhois without proper checks
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 04 Dec 2022 10:29:18 +0100
• Message-id: <[🔎] 167014615832.844498.11377750902686737600.reportbug@eldamar.lan>

Source: awstats
Version: 7.8-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/eldy/AWStats/pull/226
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for awstats.

CVE-2022-46391[0]:
| AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to
| printing a response from Net::XWhois without proper checks.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-46391
    https://www.cve.org/CVERecord?id=CVE-2022-46391
[1] https://github.com/eldy/AWStats/pull/226

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1025410-close@bugs.debian.org
• Subject: Bug#1025410: fixed in awstats 7.8-2+deb11u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 09 Dec 2022 19:52:56 +0000
• Message-id: <E1p3jQW-00DBLb-6d@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: awstats
Source-Version: 7.8-2+deb11u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1025410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Dec 2022 21:47:25 +0100
Source: awstats
Architecture: source
Version: 7.8-2+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1025410
Changes:
 awstats (7.8-2+deb11u1) bullseye; urgency=medium
 .
   * QA upload.
   * fix cross site scripting (CVE-2022-46391) (Closes: #1025410)
Checksums-Sha1: 
 ec5cddb2bd4c1011ad0baeeae4a8c90a5d6a5016 2021 awstats_7.8-2+deb11u1.dsc
 952c8ed48eb3ce28f6018bb0845e6f01a4bee8ab 37756 awstats_7.8-2+deb11u1.debian.tar.xz
Checksums-Sha256: 
 ca9da35899cdad77a22a7dce6964f84069f93f9dc3c50ddfd7b5ec0836c0553c 2021 awstats_7.8-2+deb11u1.dsc
 f62a8e1958191980f2422f63e3ccf7b0405a319ec164c1c04a3733c908b08edf 37756 awstats_7.8-2+deb11u1.debian.tar.xz
Files: 
 61a560a17332ba944cceb0f391fd8f54 2021 web optional awstats_7.8-2+deb11u1.dsc
 31b4f4d7781a5a25da22216afd2a2355 37756 web optional awstats_7.8-2+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOQ/MFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EBrUP+wUDJgr1eLDXRola66NSP+57qfCQqfbx
V5txJXZHqlmz3B5lD/EAnGj16QUS0b1d58r37uet8PZAOul+A646wf9w9XEIXWBD
heRogjsLiShAQnnQ/tnQL48n8kqpjzSk8HQposlUrxAPgu9JglDro/AD5zGG3oGb
Y5Hz4e+nE9jaVFUbdUghlMXHMSJ4S5V0IrkDqvaNCcM54+YVc8fK6R/P41qtAgsX
/SSq5vK6bOnSIgudOuqJvAsHAsxML1cPNy9uHL073+k5krVpYNGRas+XzARv1rZB
MRu+LCLDFErPgRCPZtvsBmP03LN3yEJ/9wC0s++5xQ8u5zdILTAsaGAoAcL3CFU8
K9URyLSBXI3j10m3BBZQ+x5ymV/o+JL5uFt+w3M9O6RbHfd12Ni12RNE8mos+vm8
SMkbLEi9l22XYVpblie5rTfyZUaycp5OZ0MXK3WI3eg8QPismJqAh1WluQHA2Cnv
BtHReHUwNTB3WxthjLoe7GyW10igGPOZ+Q0ompLoZBS3ZpHSuNxOIfjgynp7qyxQ
ZSgcF5+xvar43fD9kXb0g0ekUMD/CLmWtaAgdiw5M5IWVK2IvCVz/xQeJaa/eCuQ
/WR2L+NGBYsJTmxbViV+K8cNvtU0tDAB5lh3zFVncajj+h4Y9ShZPedjYLGNCzDM
TTmN4ezaZde7
=926q
-----END PGP SIGNATURE-----

--- End Message ---