Version in base suite: 7.9-1

Base version: awstats_7.9-1
Target version: awstats_7.9-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/awstats/awstats_7.9-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/a/awstats/awstats_7.9-1+deb13u1.dsc

 changelog                    |    8 ++++++++
 patches/CVE-2025-63261.patch |   21 +++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 30 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppdn3xayt/awstats_7.9-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppdn3xayt/awstats_7.9-1+deb13u1.dsc: no acceptable signature found
diff -Nru awstats-7.9/debian/changelog awstats-7.9/debian/changelog
--- awstats-7.9/debian/changelog	2023-08-28 07:03:39.000000000 +0000
+++ awstats-7.9/debian/changelog	2026-04-04 14:48:04.000000000 +0000
@@ -1,3 +1,11 @@
+awstats (7.9-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2025-63261: Fix a command injection vulnerability caused by using
+    Perl's 2-argument open() function. (Closes: #1131878)
+
+ -- Sylvain Beucler <beuc@debian.org>  Sat, 04 Apr 2026 16:48:04 +0200
+
 awstats (7.9-1) unstable; urgency=medium
 
   * New maintainer (Closes: #755797)
diff -Nru awstats-7.9/debian/patches/CVE-2025-63261.patch awstats-7.9/debian/patches/CVE-2025-63261.patch
--- awstats-7.9/debian/patches/CVE-2025-63261.patch	1970-01-01 00:00:00.000000000 +0000
+++ awstats-7.9/debian/patches/CVE-2025-63261.patch	2026-04-04 09:06:15.000000000 +0000
@@ -0,0 +1,21 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Wed, 25 Mar 2026 11:43:54 -0700
+Subject: CVE-2025-63261: Fix a command injection vulnerability caused by using Perl's 2-argument open() function.
+
+---
+ wwwroot/cgi-bin/awstats.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: awstats-7.9/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-7.9.orig/wwwroot/cgi-bin/awstats.pl
++++ awstats-7.9/wwwroot/cgi-bin/awstats.pl
+@@ -7683,7 +7683,7 @@ sub Read_DNS_Cache {
+ 		LoadCache_hashfiles( $filetoload, $hashtoload );
+ 	}
+ 	if ( !scalar keys %$hashtoload ) {
+-		open( DNSFILE, "$filetoload" )
++		open( DNSFILE, "<", $filetoload )
+ 		  or error("Couldn't open DNS Cache file \"$filetoload\": $!");
+ 
+ #binmode DNSFILE;		# If we set binmode here, it seems that the load is broken on ActiveState 5.8
diff -Nru awstats-7.9/debian/patches/series awstats-7.9/debian/patches/series
--- awstats-7.9/debian/patches/series	2023-08-28 06:40:12.000000000 +0000
+++ awstats-7.9/debian/patches/series	2026-04-04 09:05:33.000000000 +0000
@@ -10,3 +10,4 @@
 2007_googleplus.patch
 2008_twitter.patch
 2009_googlesearch.patch
+CVE-2025-63261.patch