Date: Tue, 10 Mar 2026 18:02:27 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 293698] www/awstats: Vulnerability in AWStats Message-ID: <bug-293698-7788-QiiqXaxnh7@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-293698-7788@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293698 --- Comment #4 from commit-hook@FreeBSD.org --- A commit in branch 2026Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=19a9bb7e1237aa253c1a9988ea1e0679a5d13e10 commit 19a9bb7e1237aa253c1a9988ea1e0679a5d13e10 Author: Vidar Karlsen <vidar@karlsen.tech> AuthorDate: 2026-03-10 17:58:29 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2026-03-10 18:01:35 +0000 www/awstats: Remove awdownloadcsv.pl (security vuln) Problem: awdownloadcsv.pl is vulnerable to command injection and path traversal, ref [1] and [2]. The GitHub issue [1] mentions that it is deprecated, and the readme does not list this file among the files that are (supposed to be) part of the distribution. Solution: This commit prevents awdownloadcsv.pl to be installed, thus removing the vulnerability. [1] https://github.com/eldy/AWStats/issues/276 [2] https://www.openwall.com/lists/oss-security/2026/03/08/8 While here, clean up sorting of IPV6_RUN_DEPENDS. PR: 293698 MFH: 2026Q1 (cherry picked from commit b029f6c828cd6a9c29f50a1ecfb9fef90ca409c4) www/awstats/Makefile | 7 ++++--- www/awstats/pkg-plist | 1 - 2 files changed, 4 insertions(+), 4 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293698-7788-QiiqXaxnh7>