| Summary: | awstats new security issue CVE-2022-46391 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | awstats-7.8-2.mga8.src.rpm | CVE: | CVE-2022-46391 |
| Status comment: | |||
|
Description
David Walser
2022-12-06 17:46:08 CET
David Walser
2022-12-06 17:46:23 CET
Status comment:
(none) =>
Patch available from upstream and Debian No particular packager in view for this, so assigning the bug globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated package fixes a security vulnerability: AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. (CVE-2022-46391) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46391 https://www.debian.org/lts/security/2022/dla-3225 ======================== Updated package in core/updates_testing: ======================== awstats-7.8-2.1.mga8 from SRPM: awstats-7.8-2.1.mga8.src.rpm CC:
(none) =>
nicolas.salguero MGA8-64 MATE on Acer Aspire 5253 No installation issues. Looked at bugs 22275 and 7520, but as this doesnt't have a real site, I devised another way to get something into the logs. After installation (and httpd running) # /usr/share/awstats/www/awstats.pl -config=awstats.conf -update Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.8 (build 20200416) From data in log file "/var/log/httpd/access_log"... Phase 1 : First bypass old records, searching new record... Searching new records from beginning of log file... Jumped lines in file: 0 Parsed lines in file: 0 Found 0 dropped records, Found 0 comments, Found 0 blank records, Found 0 corrupted records, Found 0 old records, Found 0 new qualified records. Then started mysqld, started phpmyadmin, logged in, rummaged a bit around in the mysql configurations I have, logged out and then # /usr/share/awstats/www/awstats.pl -config=awstats.conf -update Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.8 (build 20200416) From data in log file "/var/log/httpd/access_log"... Phase 1 : First bypass old records, searching new record... Searching new records from beginning of log file... Phase 2 : Now process new records (Flush history on disk after 20000 hosts)... Jumped lines in file: 0 Parsed lines in file: 112 Found 0 dropped records, Found 0 comments, Found 0 blank records, Found 0 corrupted records, Found 0 old records, Found 112 new qualified records. I will not claim I fully understand all this, but there is some logic. OK for me. Whiteboard:
(none) =>
MGA8-64-OK I don't understand any of it, Herman, but it doesn't look to me like something that failed. Validating. Advisory in comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-12-13 02:34:58 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0461.html Resolution:
(none) =>
FIXED |