Viewing all changes in revision 7.
- Committer: Bazaar Package Importer
- Date: 2006-06-07 18:40:55 UTC
- Revision ID: james.westby@ubuntu.com-20060607184055-0bk57l947rasf3t5
* SECURITY UPDATE: Arbitrary command execution as www-data.
* Add debian/patches/1003_disable_configdir.patch:
- Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
variable is set. This prevents users from putting a crafted config (with
pipe in LogFile parameter) to e. g. /tmp and update the statistics
through the browser.
- Patch ported from Debian's 6.5-2.
- CVE-2006-2644
* Add debian/patches/1003_disable_configdir.patch:
- Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
variable is set. This prevents users from putting a crafted config (with
pipe in LogFile parameter) to e. g. /tmp and update the statistics
through the browser.
- Patch ported from Debian's 6.5-2.
- CVE-2006-2644
- files added:
- debian/patches/1003_disable_configdir.patch
- files modified:
- debian/changelog
expand all
collapse all
added
removed
