Date: Tue, 10 Mar 2026 18:01:41 +0000 From: Vladimir Druzenko <vvd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Cc: Vidar Karlsen <vidar@karlsen.tech> Subject: git: 19a9bb7e1237 - 2026Q1 - www/awstats: Remove awdownloadcsv.pl (security vuln) Message-ID: <69b05c85.1cf16.37b8d470@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch 2026Q1 has been updated by vvd: URL: https://cgit.FreeBSD.org/ports/commit/?id=19a9bb7e1237aa253c1a9988ea1e0679a5d13e10 commit 19a9bb7e1237aa253c1a9988ea1e0679a5d13e10 Author: Vidar Karlsen <vidar@karlsen.tech> AuthorDate: 2026-03-10 17:58:29 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2026-03-10 18:01:35 +0000 www/awstats: Remove awdownloadcsv.pl (security vuln) Problem: awdownloadcsv.pl is vulnerable to command injection and path traversal, ref [1] and [2]. The GitHub issue [1] mentions that it is deprecated, and the readme does not list this file among the files that are (supposed to be) part of the distribution. Solution: This commit prevents awdownloadcsv.pl to be installed, thus removing the vulnerability. [1] https://github.com/eldy/AWStats/issues/276 [2] https://www.openwall.com/lists/oss-security/2026/03/08/8 While here, clean up sorting of IPV6_RUN_DEPENDS. PR: 293698 MFH: 2026Q1 (cherry picked from commit b029f6c828cd6a9c29f50a1ecfb9fef90ca409c4) --- www/awstats/Makefile | 7 ++++--- www/awstats/pkg-plist | 1 - 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/www/awstats/Makefile b/www/awstats/Makefile index e3d7f81a0ef4..309d88cf11ba 100644 --- a/www/awstats/Makefile +++ b/www/awstats/Makefile @@ -1,5 +1,6 @@ PORTNAME= awstats DISTVERSION= 8.0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= www MASTER_SITES= SF/${PORTNAME}/AWStats/${DISTVERSION} @@ -36,8 +37,8 @@ MODULES_DESC= Plugin support not present in Perl CORE DECODEUTFKEYS_RUN_DEPENDS= p5-URI>0:net/p5-URI GEOIPFREE_RUN_DEPENDS= p5-Geo-IPfree>=0:net/p5-Geo-IPfree HOSTINFO_RUN_DEPENDS= p5-Net-XWhois>=0:net/p5-Net-XWhois -IPV6_RUN_DEPENDS= p5-Net-IP>=0:net-mgmt/p5-Net-IP \ - p5-Net-DNS>=0:dns/p5-Net-DNS +IPV6_RUN_DEPENDS= p5-Net-DNS>=0:dns/p5-Net-DNS \ + p5-Net-IP>=0:net-mgmt/p5-Net-IP JSON_RUN_DEPENDS= p5-JSON-XS>=0:converters/p5-JSON-XS \ p5-Try-Tiny>=0:lang/p5-Try-Tiny @@ -45,7 +46,7 @@ _DOCS= dolibarr httpd_conf nginx webmin _TOOLS= awstats_buildstaticpages.pl awstats_configure.pl \ awstats_exportlib.pl awstats_updateall.pl geoip_generator.pl \ logresolvemerge.pl maillogconvert.pl urlaliasbuilder.pl -_CGI_BIN= awdownloadcsv.pl awredir.pl awstats.model.conf awstats.pl +_CGI_BIN= awredir.pl awstats.model.conf awstats.pl _SHARE_DIRS= lang lib plugins _WWW_DIRS= css icon js diff --git a/www/awstats/pkg-plist b/www/awstats/pkg-plist index e72ebfb8ad99..ff61023083be 100644 --- a/www/awstats/pkg-plist +++ b/www/awstats/pkg-plist @@ -81,7 +81,6 @@ %%PORTDOCS%%%%DOCSDIR%%/webmin/.gitignore %%PORTDOCS%%%%DOCSDIR%%/webmin/README.md %%PORTDOCS%%%%DOCSDIR%%/webmin/awstats-2.0.wbm -%%WWWDIR%%/cgi-bin/awdownloadcsv.pl %%WWWDIR%%/cgi-bin/awredir.pl %%WWWDIR%%/cgi-bin/awstats.model.conf %%WWWDIR%%/cgi-bin/awstats.plhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69b05c85.1cf16.37b8d470>