Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
aports
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Monitor
Service Desk
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
alpine
aports
Commits
1eeaa108
Commit
1eeaa108
authored
1 year ago
by
alice
Browse files
Options
Downloads
Patches
Plain Diff
main/awstats: fix CVE-2022-46391
parent
10e6be13
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
main/awstats/APKBUILD
+11
-4
11 additions, 4 deletions
main/awstats/APKBUILD
main/awstats/CVE-2022-46391.patch
+23
-0
23 additions, 0 deletions
main/awstats/CVE-2022-46391.patch
with
34 additions
and
4 deletions
main/awstats/APKBUILD
+
11
−
4
View file @
1eeaa108
...
...
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname
=
awstats
pkgver
=
7.8
pkgrel
=
2
pkgrel
=
3
pkgdesc
=
"Free real-time logfile analyzer to get advanced statistics"
url
=
"https://awstats.sourceforge.net/"
arch
=
"noarch"
...
...
@@ -11,9 +11,13 @@ depends="perl perl-uri"
subpackages
=
"
$pkgname
-doc"
options
=
"!check"
# no testsuite
source
=
"https://prdownloads.sourceforge.net/awstats/awstats-
$pkgver
.tar.gz
CVE-2020-35176.patch"
CVE-2020-35176.patch
CVE-2022-46391.patch
"
# secfixes:
# 7.8-r3:
# - CVE-2022-46391
# 7.8-r1:
# - CVE-2020-35176
# 7.6-r2:
...
...
@@ -60,5 +64,8 @@ package() {
"
$pkgdir
"
/usr/lib/
$pkgname
/cgi-bin/plugins/example
}
sha512sums
=
"b532f74a8b420841b1ae7eea73fd341049925af01688a06114f53807c14c6a4edc4ca4f671b2b9c1aee8024ba25ccf69b6eae391250e5722d2fd719de4cf87e2 awstats-7.8.tar.gz
d012866662206ffba9f84af437824324bf402a49ecb67161833b3f9593ccd4327db4b465d305c3ca78e5b29917acd469760faac6f7678055d4de01621f689c63 CVE-2020-35176.patch"
sha512sums
=
"
b532f74a8b420841b1ae7eea73fd341049925af01688a06114f53807c14c6a4edc4ca4f671b2b9c1aee8024ba25ccf69b6eae391250e5722d2fd719de4cf87e2 awstats-7.8.tar.gz
d012866662206ffba9f84af437824324bf402a49ecb67161833b3f9593ccd4327db4b465d305c3ca78e5b29917acd469760faac6f7678055d4de01621f689c63 CVE-2020-35176.patch
3ccfd18e2d883a54dc70441852fe192294d105d975ca03afcead64caa44a32828489a29ccad922b7757c465796ca233761568f93da49bd7d726a2f35f2d543de CVE-2022-46391.patch
"
This diff is collapsed.
Click to expand it.
main/awstats/CVE-2022-46391.patch
0 → 100644
+
23
−
0
View file @
1eeaa108
From 38682330e1ec3f3af95f9436640358b2d9e4a965 Mon Sep 17 00:00:00 2001
From: rekter0 <58881147+rekter0@users.noreply.github.com>
Date: Mon, 7 Nov 2022 15:12:03 +0100
Subject: [PATCH] fix cross site scripting
xss due to printing response from Net::XWhois without proper checks
---
wwwroot/cgi-bin/plugins/hostinfo.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wwwroot/cgi-bin/plugins/hostinfo.pm b/wwwroot/cgi-bin/plugins/hostinfo.pm
index 95b2c20b7..1f0ac6994 100644
--- a/wwwroot/cgi-bin/plugins/hostinfo.pm
+++ b/wwwroot/cgi-bin/plugins/hostinfo.pm
@@ -181,7 +181,7 @@
sub BuildFullHTMLOutput_hostinfo {
&tab_head("Full Whois Field",0,0,'whois');
if ($w && $w->response()) {
- print "<tr><td class=\"aws\"><pre>".($w->response())."</pre></td></tr>\n";
+ print "<tr><td class=\"aws\"><pre>".CleanXSS($w->response())."</pre></td></tr>\n";
}
else {
print "<tr><td><br />The Whois command failed.<br />Did the server running AWStats is allowed to send WhoIs queries (If a firewall is running, port 43 should be opened from inside to outside) ?<br /><br /></td></tr>\n";
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment