Viewing all changes in revision 6.
- Committer: Bazaar Package Importer
- Date: 2006-06-07 16:49:39 UTC
- Revision ID: james.westby@ubuntu.com-20060607164939-o0wexud1hba3a2ay
* SECURITY UPDATE: Arbitrary command execution as www-data.
* Add debian/patches/04_disable_configdir.patch:
- Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
variable is set. This prevents users from putting a crafted config (with
pipe in LogFile parameter) to e. g. /tmp and update the statistics
through the browser.
- Patch ported from Debian's 6.5-2.
- CVE-2006-2644
* Add debian/patches/04_disable_configdir.patch:
- Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
variable is set. This prevents users from putting a crafted config (with
pipe in LogFile parameter) to e. g. /tmp and update the statistics
through the browser.
- Patch ported from Debian's 6.5-2.
- CVE-2006-2644
- files added:
- debian/patches/04_disable_configdir.patch
- files modified:
- debian/changelog
expand all
collapse all
added
removed
