Bug 269051

Summary: www/awstats: update to 7.9
Product: Ports & Packages Reporter: Vidar Karlsen <vidar>
Component: Individual Port(s)Assignee: Fernando Apesteguía <fernape>
Status: Closed FIXED    
Severity: Affects Many People CC: chris, fernape, ports-secteam
Priority: --- Keywords: patch, security
Version: LatestFlags: fernape: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://awstats.sourceforge.io/docs/awstats_changelog.txt
Attachments:
Description Flags
git format-patch, update to 7.9 and clean up Makefile vidar: maintainer-approval+

Description Vidar Karlsen 2023-01-19 13:46:06 UTC 
Created attachment 239590 [details]
git format-patch, update to 7.9 and clean up Makefile

Changelog: https://awstats.sourceforge.io/docs/awstats_changelog.txt

Fixes CVE-2020-35176 path traversal flaw (score 5.3)

While here, re-order the Makefile to make portclippy happy.

QA:
- poudriere testport ok on 12.3-amd64, 12.3-i386, 13.1-amd64
- run-time tested ok on 13.1-amd64
- portlint ok
- portclippy ok
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-21 17:10:13 UTC 
Note to self: VuXml entry.
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-01-23 13:09:32 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dec81534f121a291602a9dfb106ce4ec23d0a261

commit dec81534f121a291602a9dfb106ce4ec23d0a261
Author:     Vidar Karlsen <vidar@karlsen.tech>
AuthorDate: 2023-01-21 17:06:39 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-01-23 13:04:36 +0000

    www/awstats: update to 7.9

    ChangeLog: https://awstats.sourceforge.io/docs/awstats_changelog.txt

     * Add Windows 11 and Android 13 operating systems
     * Update Hungarian translation and migrate it to UTF-8.
     * fix cross site scripting
     * Replace hard coded text with $Message ( Monthly, Daily, Hourly )
     * Android 11 + 12, MacOS 11 ( Big Sur ) + 12 ( Monterey )
     * Catch up german translations
     * Change the substitution that replaces newlines with BR elements so that
       the syntax works for both HTML and XHTML.
     * Added a few robots and 1 phone browser. Also corrected some errors in
       devlop robots.pm
     * Only look for configuration in dedicated awstats directories
     * Unwrap SRS e-mail addresses
     * Fixes #195/CVE-2020-35176
     * As geoip2_country doesn't have AddHTMLGraph_geoip2_country, it should
       only generate subpage for geoip2_city.
     * added support for HaikuOS and Safari based WebPositive browser
     * Adding missing td-tag opening
     * Tajik Language Support

    PR:             269051
    Reported by:    vidar@karlsen.tech (maintainer)
    MFH:            2023Q1 (security fixes)
    Security:       CVE-2020-35176

 www/awstats/Makefile  | 16 ++++++++--------
 www/awstats/distinfo  |  6 +++---
 www/awstats/pkg-plist |  8 ++++++++
 3 files changed, 19 insertions(+), 11 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-01-23 13:11:34 UTC 
A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=abda034c4a91551abb334bbea839a81958f69d50

commit abda034c4a91551abb334bbea839a81958f69d50
Author:     Vidar Karlsen <vidar@karlsen.tech>
AuthorDate: 2023-01-21 17:06:39 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-01-23 13:07:14 +0000

    www/awstats: update to 7.9

    ChangeLog: https://awstats.sourceforge.io/docs/awstats_changelog.txt

     * Add Windows 11 and Android 13 operating systems
     * Update Hungarian translation and migrate it to UTF-8.
     * fix cross site scripting
     * Replace hard coded text with $Message ( Monthly, Daily, Hourly )
     * Android 11 + 12, MacOS 11 ( Big Sur ) + 12 ( Monterey )
     * Catch up german translations
     * Change the substitution that replaces newlines with BR elements so that
       the syntax works for both HTML and XHTML.
     * Added a few robots and 1 phone browser. Also corrected some errors in
       devlop robots.pm
     * Only look for configuration in dedicated awstats directories
     * Unwrap SRS e-mail addresses
     * Fixes #195/CVE-2020-35176
     * As geoip2_country doesn't have AddHTMLGraph_geoip2_country, it should
       only generate subpage for geoip2_city.
     * added support for HaikuOS and Safari based WebPositive browser
     * Adding missing td-tag opening
     * Tajik Language Support

    PR:             269051
    Reported by:    vidar@karlsen.tech (maintainer)
    MFH:            2023Q1 (security fixes)
    Security:       CVE-2020-35176

    (cherry picked from commit dec81534f121a291602a9dfb106ce4ec23d0a261)

 www/awstats/Makefile  | 16 ++++++++--------
 www/awstats/distinfo  |  6 +++---
 www/awstats/pkg-plist |  8 ++++++++
 3 files changed, 19 insertions(+), 11 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-01-23 13:13:36 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=41493dcf982d8df241837f7f38453130e8fc9121

commit 41493dcf982d8df241837f7f38453130e8fc9121
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-01-23 13:03:16 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-01-23 13:08:45 +0000

    security/vuxml: register www/awstats vulnerability

    PR:     269051

 security/vuxml/vuln/2023.xml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
Comment 5 Fernando Apesteguía freebsd_committer freebsd_triage 2023-01-23 13:13:43 UTC 
Committed and merged to 2023Q1,

Thanks!