Bug 31230 - awstats new security issue CVE-2022-46391
Summary: awstats new security issue CVE-2022-46391
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-06 17:46 CET by David Walser
Modified: 2022-12-13 23:11 CET (History)
5 users (show)

See Also:
Source RPM: awstats-7.8-2.mga8.src.rpm
CVE: CVE-2022-46391
Status comment:


Attachments

Description David Walser 2022-12-06 17:46:08 CET
Debian-LTS has issued an advisory on December 5:
https://www.debian.org/lts/security/2022/dla-3225

Mageia 8 is also affected.
David Walser 2022-12-06 17:46:23 CET

Status comment: (none) => Patch available from upstream and Debian
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-12-06 19:57:16 CET
No particular packager in view for this, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-12-07 10:09:02 CET
Suggested advisory:
========================

The updated package fixes a security vulnerability:

AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. (CVE-2022-46391)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46391
https://www.debian.org/lts/security/2022/dla-3225
========================

Updated package in core/updates_testing:
========================
awstats-7.8-2.1.mga8

from SRPM:
awstats-7.8-2.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Patch available from upstream and Debian => (none)
Version: Cauldron => 8
Source RPM: awstats-7.8-3.mga9.src.rpm => awstats-7.8-2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-46391
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2022-12-09 16:29:08 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Looked at bugs 22275 and 7520, but as this doesnt't have a real site, I devised another way to get something into the logs.
After installation (and httpd running)
# /usr/share/awstats/www/awstats.pl -config=awstats.conf -update
Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.8 (build 20200416)
From data in log file "/var/log/httpd/access_log"...
Phase 1 : First bypass old records, searching new record...
Searching new records from beginning of log file...
Jumped lines in file: 0
Parsed lines in file: 0
 Found 0 dropped records,
 Found 0 comments,
 Found 0 blank records,
 Found 0 corrupted records,
 Found 0 old records,
 Found 0 new qualified records.
Then started mysqld, started phpmyadmin, logged in, rummaged a bit around in the mysql configurations I have, logged out and then
# /usr/share/awstats/www/awstats.pl -config=awstats.conf -update
Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.8 (build 20200416)
From data in log file "/var/log/httpd/access_log"...
Phase 1 : First bypass old records, searching new record...
Searching new records from beginning of log file...
Phase 2 : Now process new records (Flush history on disk after 20000 hosts)...
Jumped lines in file: 0
Parsed lines in file: 112
 Found 0 dropped records,
 Found 0 comments,
 Found 0 blank records,
 Found 0 corrupted records,
 Found 0 old records,
 Found 112 new qualified records.

I will not claim I fully understand all this, but there is some logic.
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-12-10 14:13:56 CET
I don't understand any of it, Herman, but it doesn't look to me like something that failed.

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-13 02:34:58 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-12-13 23:11:01 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0461.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.