Bug#975383: cal3d: Wrong homepage + new version

[Davide Prina]

Package: cal3d
Version: 0.11.0-7
Severity: normal

I have see that the homepage
https://gna.org/projects/cal3d/
do not respond anymore

I think that the new homepage is:
https://mp3butcher.github.io/Cal3D/
https://github.com/mp3butcher/Cal3D

Here there is the new version 0.120

Ciao
Davide

Bug#890414: awstats: run-parts doesnt work with .sh files

[Sylvain Beucler]

For your consideration:
https://salsa.debian.org/debian/awstats/-/merge_requests/2

The awstats package is orphaned. Depending on the answers I may do a NMU.

Cheers!
Sylvain

On Wed, 6 May 2020 13:36:23 + 
debian_reportbug_202...@michaelaltfield.net wrote:

Package: awstats
Version: 7.6+dfsg-2
Followup-For: Bug #890414

This is still an issue on Debian 10. Any update on when this will be fixed?

Steps to reproduce on a fresh install of Debian 10:

   sudo su -
   apt-get -y install nginx awstats
   run-parts --list /etc/logrotate.d/httpd-prerotate

The below execution demonstrates the issue and a potential fix (moving 
/etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh to 
/etc/logrotate.d/httpd-prerotate/awstats-prerotate)

Bug#891469: awstats: Path traversal in config parameter if site config is missing.

[Sylvain Beucler]

Hi,

Since awstats is currently unmaintained, can you request a new CVE for 
this at https://cveform.mitre.org/ ?


This way it'll be properly monitored and taken care of in distros.

Cheers!
Sylvain

On Sun, 25 Feb 2018 21:33:34 +0100 =?utf-8?b?VG9tYcW+IMWgb2xj?= 
 wrote:

Package: awstats
Version: 7.6+dfsg-2
Severity: normal

Dear Maintainer,

the patch for CVE-2017-1000501 seems to have been incomplete. Please see this
report upstream:

https://github.com/eldy/awstats/issues/90

awstats will parse arbitrary files passed in the "config" parameter if the
default /etc/awstats/awstats.conf is not present. Debian package will install
awstats.conf, so a default install does not seem to be vulnerable. However it
is possible to use awstats with separate configs for different sites without
the default awstats.conf (although README.Debian recommends leaving
awstats.conf in place)

I can confirm that the reported issue exists in awstats 7.6+dfsg-2 and
7.6+dfsg-1+deb9u1.

Steps to reproduce (on Stretch)

# apt-get install awstats
# rm /etc/awstats/awstats.conf
# cp /usr/share/doc/awstats/examples/apache.conf 
/etc/apache2/conf-available/awstats.conf
# a2enconf awstats
# systemctl reload apache2

Visit http://localhost/cgi-bin/awstats.pl?config=/etc/passwd


-- System Information:
Debian Release: 9.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages awstats depends on:
ii  perl  5.24.1-3+deb9u2

Versions of packages awstats recommends:
ii  libnet-xwhois-perl  0.90-4

Versions of packages awstats suggests:
ii  apache2 [httpd] 2.4.25-3+deb9u3
pn  libgeo-ipfree-perl  
ii  libnet-dns-perl 1.07-1
ii  libnet-ip-perl  1.26-1
ii  liburi-perl 1.71-1

-- Configuration Files:
/etc/awstats/awstats.conf [Errno 2] No such file or directory: 
'/etc/awstats/awstats.conf'