Version in base suite: 7.8-3+deb12u1

Base version: awstats_7.8-3+deb12u1
Target version: awstats_7.8-3+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/awstats/awstats_7.8-3+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/a/awstats/awstats_7.8-3+deb12u2.dsc

 changelog                    |    8 ++++++++
 patches/CVE-2025-63261.patch |   21 +++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 30 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpro9rk638/awstats_7.8-3+deb12u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpro9rk638/awstats_7.8-3+deb12u2.dsc: no acceptable signature found
diff -Nru awstats-7.8/debian/changelog awstats-7.8/debian/changelog
--- awstats-7.8/debian/changelog	2023-10-10 00:04:39.000000000 +0000
+++ awstats-7.8/debian/changelog	2026-04-04 17:47:59.000000000 +0000
@@ -1,3 +1,11 @@
+awstats (7.8-3+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2025-63261: Fix a command injection vulnerability caused by using
+    Perl's 2-argument open() function. (Closes: #1131878)
+
+ -- Sylvain Beucler <beuc@debian.org>  Sat, 04 Apr 2026 19:47:59 +0200
+
 awstats (7.8-3+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru awstats-7.8/debian/patches/CVE-2025-63261.patch awstats-7.8/debian/patches/CVE-2025-63261.patch
--- awstats-7.8/debian/patches/CVE-2025-63261.patch	1970-01-01 00:00:00.000000000 +0000
+++ awstats-7.8/debian/patches/CVE-2025-63261.patch	2026-04-04 09:25:04.000000000 +0000
@@ -0,0 +1,21 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Wed, 25 Mar 2026 11:43:54 -0700
+Subject: CVE-2025-63261: Fix a command injection vulnerability caused by using Perl's 2-argument open() function.
+
+---
+ wwwroot/cgi-bin/awstats.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: awstats-7.8/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-7.8.orig/wwwroot/cgi-bin/awstats.pl
++++ awstats-7.8/wwwroot/cgi-bin/awstats.pl
+@@ -7572,7 +7572,7 @@ sub Read_DNS_Cache {
+ 		LoadCache_hashfiles( $filetoload, $hashtoload );
+ 	}
+ 	if ( !scalar keys %$hashtoload ) {
+-		open( DNSFILE, "$filetoload" )
++		open( DNSFILE, "<", $filetoload )
+ 		  or error("Couldn't open DNS Cache file \"$filetoload\": $!");
+ 
+ #binmode DNSFILE;		# If we set binmode here, it seems that the load is broken on ActiveState 5.8
diff -Nru awstats-7.8/debian/patches/series awstats-7.8/debian/patches/series
--- awstats-7.8/debian/patches/series	2023-07-08 00:47:02.000000000 +0000
+++ awstats-7.8/debian/patches/series	2026-04-04 09:24:43.000000000 +0000
@@ -12,3 +12,4 @@
 2009_googlesearch.patch
 0013-Only-look-for-configuration-in-dedicated-awstats-dir.patch
 fix-cross-site-scripting.patch
+CVE-2025-63261.patch