-
Committer:
Bazaar Package Importer
-
Author(s):
Martin Pitt
-
Date:
2006-06-07 16:49:39 UTC
-
Revision ID:
james.westby@ubuntu.com-20060607164939-o0wexud1hba3a2ay
Tags: 6.4-1ubuntu1.2
* SECURITY UPDATE: Arbitrary command execution as www-data.
* Add debian/patches/04_disable_configdir.patch:
- Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
variable is set. This prevents users from putting a crafted config (with
pipe in LogFile parameter) to e. g. /tmp and update the statistics
through the browser.
- Patch ported from Debian's 6.5-2.
- CVE-2006-2644