From nobody Tue Mar 10 18:02:27 2026 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fVhYH10hmz6TmxF for ; Tue, 10 Mar 2026 18:02:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fVhYH0QSxz3v7K for ; Tue, 10 Mar 2026 18:02:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773165747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H1UdVL9fHK35+2E2bX+bMcGA8DEzqvvEqZy3qh+GIIE=; b=lIXzRt8YBbHeuL22T7yqtCtGlaRvWEv/UCSJaz63nyUphDDauPoAqOJWEPHnSlUlCzu/qH Iz25PihEctMjybBo+Iti5NkNlGrx+QsGUeiX6+5Q+PNR7a71hmlwYBccj5HQbqaVsXxTjs +xH6fbs6n15gkgUQj3L+BixP/gSAmrrITbOQLMalL0Q0y/Qzx3IFqmvp3kfchera2BIm8B pTr9/R8A81lXRHVHOstZWGXYtiY5OwSgXJYA4PHCo1Qnjxr7hGEweFrLC1JOwbK6V1SMIV gPy8fpFHcg2D/hzzZ50G2SuJV2SdfQSoNGJtSV7CvFZUnkYynfOXouguVdrcdg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1773165747; a=rsa-sha256; cv=none; b=HjZ38PpsLHsqPh5BU2cWS47wrmP8bQId9Frlu7Es+p8knIf3m//lZBLQZimLUAYz2f9mk1 7sqTkOdHXqGlLQk1sA9nOjjBi1hz+XC9r2Crn22UX+sC+iez8xDv98yOLu99901pz8EK0u V6mFQV8ktyt11PdLLT3E1M0BqtXUxDluR2bpf0ANu1LYcnYWmqihSzfmUZHDerkVmlyIMK aBOYXyQcYN7dP1omo0TuhaB+I3WGZkVX6z7tAHtYyjUIsBJ9OpcTclks/UdsUQWhtdS5r3 G3aiVN2rg7ZFkkLDkGUdflP6xt2iSfyamCZ5reMsh98t+UdTm/jhAn48YL7MAw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773165747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H1UdVL9fHK35+2E2bX+bMcGA8DEzqvvEqZy3qh+GIIE=; b=WBblCyzOPkANFfQMVT2ObPE8lBiQo8mSorQqs8LCi8HmCXzxoPNX1DCHbN+AcmmXaRdKDC UhoOM88FlF3SLZhSmiFU2OozhV7Xr1HSeuJKapTHVPHxyYOWOM1/6fQCHOuP5CkPvBQOBb rClNSNG0P9TW4lUYvoZkR4ZqOtJZPjU/sXXOkqEHaxI4ksinPSVrOlUxo7YHZyEK7zfZHc j3kFaq7x+3FlTyVR3FiJjojg4Rrzrc73kE5b1wRK2yqYJLEbsQF+Ld38qlhZryFDJw7srd ocncaImxGUWeUW2dwGWo549nXkCvRk1NU778bvnxlKutlNBHX70IiLMF2HZg6A== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4fVhYH02bDz7Z6 for ; Tue, 10 Mar 2026 18:02:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 62AI2Q7d045779 for ; Tue, 10 Mar 2026 18:02:26 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 62AI2QU3045778 for ports-bugs@FreeBSD.org; Tue, 10 Mar 2026 18:02:26 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 293698] www/awstats: Vulnerability in AWStats Date: Tue, 10 Mar 2026 18:02:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback+ merge-quarterly? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D293698 --- Comment #4 from commit-hook@FreeBSD.org --- A commit in branch 2026Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3D19a9bb7e1237aa253c1a9988ea1e067= 9a5d13e10 commit 19a9bb7e1237aa253c1a9988ea1e0679a5d13e10 Author: Vidar Karlsen AuthorDate: 2026-03-10 17:58:29 +0000 Commit: Vladimir Druzenko CommitDate: 2026-03-10 18:01:35 +0000 www/awstats: Remove awdownloadcsv.pl (security vuln) Problem: awdownloadcsv.pl is vulnerable to command injection and path traversal, ref [1] and [2]. The GitHub issue [1] mentions that it is deprecated, and the readme does not list this file among the files that are (supposed to be) part of the distribution. Solution: This commit prevents awdownloadcsv.pl to be installed, thus removing the vulnerability. [1] https://github.com/eldy/AWStats/issues/276 [2] https://www.openwall.com/lists/oss-security/2026/03/08/8 While here, clean up sorting of IPV6_RUN_DEPENDS. PR: 293698 MFH: 2026Q1 (cherry picked from commit b029f6c828cd6a9c29f50a1ecfb9fef90ca409c4) www/awstats/Makefile | 7 ++++--- www/awstats/pkg-plist | 1 - 2 files changed, 4 insertions(+), 4 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=