From nobody Tue Mar 10 18:00:46 2026
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fVhWR4HV9z6TmpM
	for <dev-commits-ports-main@mlmmj.nyi.freebsd.org>; Tue, 10 Mar 2026 18:00:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fVhWR3T1mz3tqC
	for <dev-commits-ports-main@FreeBSD.org>; Tue, 10 Mar 2026 18:00:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1773165651;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6QCbNbVl2k4rO7Pq6FYeFfJlPJcWeUWm76nsn7dpkRQ=;
	b=lXOP/Uk7dqLSj51odzBB2DJj+gpoP+CakJ5gGdtOfmXeIbebAAgDYeL28LSxFo3F6Yjpa5
	d4l0nf4p/bX8ORT/ROvggasnse+vFsF5DolF6qdtG5/A2FTwV6Q8sPncb4JBBgHq9H6JeV
	ZGY7myVuEPhWV8IQPEXfWuF5alQ14yZUz7e4rWQB87JHv1ukJ4oRjg5ZZHhgrvgy7wJtam
	yWsaKFYoP02BOJNDy939fPd1nMEm+4yyDT0Pb8/u8H16S3zZMHmbnTPJy5jJLrP0UAekFF
	PijHVgWe0zf0oc4dJ+ed1qZYa8ANmd0Zun42pHRq6rvOxMb8TOZ04SAA3ssMnw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1773165651; a=rsa-sha256; cv=none;
	b=Wqbpa+grUeO8+01y2ANpxjdUPHdrZM47AYvF7PQ+IraqlfABvcJe5F+0GEM6ARMHwiApzY
	Kw44qr1BGNMN6icvlG2QC7rQ1Pxu8xMPdATKZhKSGjBVeFmpAO6gDh3pVSXTbBLDY8O/VQ
	9k7DdTQT632OHxoVgx84VP7F0ghml+gmvKnuFo+lN3xk6gfakNhNR6yloYnCnu9UeITZsu
	8gdUp2io2DdI53NSzir6CwswylFLrGf/Hs+ZG8EVBJ7JMMneq2OM8928bzf8EBxsnh+p1A
	4QHqRq3oiGNnB1oEwtOjIlzy0y5xidpyGGC4YbN/bZHmrTBeWzVLl4LtnXUY1g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1773165651;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6QCbNbVl2k4rO7Pq6FYeFfJlPJcWeUWm76nsn7dpkRQ=;
	b=c3QlnxzHeqQgykRx5rGc+0vnf4sr4rb1VY/A32rlo4GCXLRKF6g5uIL7IPwOLy+nMD/Uky
	NP6vadDqPc54pr+8sOXZIlFYB8FMtX5uwhXn299gWlFOu+tT5LgWUz24GYnrDRhUhWl5uQ
	N9hkQwHUSId9bXELhRUL77Kp8pLB01zt7Fu1xBE5tDC6ia0aV28WZgg6ZNtl7F4k6uSQ+d
	JDIdr36FeF7u2BcrTTtGuVofgPKgWX2j3T5YNXwqafyInlF1jX9uuEjDHeHIWN21PCcqt0
	TOwc7SJkDHSixHr/fDLYToqdBE9bW7aJ0rSWsg+XZLtp4E1wmKlhv4+uKqXejQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fVhWR32SZz7QH
	for <dev-commits-ports-main@FreeBSD.org>; Tue, 10 Mar 2026 18:00:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 1d60a
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 10 Mar 2026 18:00:46 +0000
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Cc: Vidar Karlsen <vidar@karlsen.tech>
From: Vladimir Druzenko <vvd@FreeBSD.org>
Subject: git: b029f6c828cd - main - www/awstats: Remove awdownloadcsv.pl (security vuln)
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: vvd
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: b029f6c828cd6a9c29f50a1ecfb9fef90ca409c4
Auto-Submitted: auto-generated
Date: Tue, 10 Mar 2026 18:00:46 +0000
Message-Id: <69b05c4e.1d60a.254eef19@gitrepo.freebsd.org>

The branch main has been updated by vvd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b029f6c828cd6a9c29f50a1ecfb9fef90ca409c4

commit b029f6c828cd6a9c29f50a1ecfb9fef90ca409c4
Author:     Vidar Karlsen <vidar@karlsen.tech>
AuthorDate: 2026-03-10 17:58:29 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2026-03-10 18:00:19 +0000

    www/awstats: Remove awdownloadcsv.pl (security vuln)
    
    Problem:
    awdownloadcsv.pl is vulnerable to command injection and path traversal,
    ref [1] and [2].
    The GitHub issue [1] mentions that it is deprecated, and the readme does
    not list this file among the files that are (supposed to be) part of the
    distribution.
    
    Solution:
    This commit prevents awdownloadcsv.pl to be installed, thus removing the
    vulnerability.
    
    [1] https://github.com/eldy/AWStats/issues/276
    [2] https://www.openwall.com/lists/oss-security/2026/03/08/8
    
    While here, clean up sorting of IPV6_RUN_DEPENDS.
    
    PR:     293698
    MFH:    2026Q1
---
 www/awstats/Makefile  | 7 ++++---
 www/awstats/pkg-plist | 1 -
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/www/awstats/Makefile b/www/awstats/Makefile
index e3d7f81a0ef4..309d88cf11ba 100644
--- a/www/awstats/Makefile
+++ b/www/awstats/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	awstats
 DISTVERSION=	8.0
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	www
 MASTER_SITES=	SF/${PORTNAME}/AWStats/${DISTVERSION}
@@ -36,8 +37,8 @@ MODULES_DESC=			Plugin support not present in Perl CORE
 DECODEUTFKEYS_RUN_DEPENDS=	p5-URI>0:net/p5-URI
 GEOIPFREE_RUN_DEPENDS=		p5-Geo-IPfree>=0:net/p5-Geo-IPfree
 HOSTINFO_RUN_DEPENDS=		p5-Net-XWhois>=0:net/p5-Net-XWhois
-IPV6_RUN_DEPENDS=		p5-Net-IP>=0:net-mgmt/p5-Net-IP \
-				p5-Net-DNS>=0:dns/p5-Net-DNS
+IPV6_RUN_DEPENDS=		p5-Net-DNS>=0:dns/p5-Net-DNS \
+				p5-Net-IP>=0:net-mgmt/p5-Net-IP
 JSON_RUN_DEPENDS=		p5-JSON-XS>=0:converters/p5-JSON-XS \
 				p5-Try-Tiny>=0:lang/p5-Try-Tiny
 
@@ -45,7 +46,7 @@ _DOCS=		dolibarr httpd_conf nginx webmin
 _TOOLS=		awstats_buildstaticpages.pl awstats_configure.pl \
 		awstats_exportlib.pl awstats_updateall.pl geoip_generator.pl \
 		logresolvemerge.pl maillogconvert.pl urlaliasbuilder.pl
-_CGI_BIN=	awdownloadcsv.pl awredir.pl awstats.model.conf awstats.pl
+_CGI_BIN=	awredir.pl awstats.model.conf awstats.pl
 _SHARE_DIRS=	lang lib plugins
 _WWW_DIRS=	css icon js
 
diff --git a/www/awstats/pkg-plist b/www/awstats/pkg-plist
index e72ebfb8ad99..ff61023083be 100644
--- a/www/awstats/pkg-plist
+++ b/www/awstats/pkg-plist
@@ -81,7 +81,6 @@
 %%PORTDOCS%%%%DOCSDIR%%/webmin/.gitignore
 %%PORTDOCS%%%%DOCSDIR%%/webmin/README.md
 %%PORTDOCS%%%%DOCSDIR%%/webmin/awstats-2.0.wbm
-%%WWWDIR%%/cgi-bin/awdownloadcsv.pl
 %%WWWDIR%%/cgi-bin/awredir.pl
 %%WWWDIR%%/cgi-bin/awstats.model.conf
 %%WWWDIR%%/cgi-bin/awstats.pl