← Back to branch summary

~ubuntu-branches/ubuntu/dapper/awstats/dapper-updates

~ubuntu-branches/ubuntu/dapper/awstats/dapper-updates

« back to all changes in this revision

Viewing changes to debian/changelog

Committer: Bazaar Package Importer
Author(s): Martin Pitt
Date: 2006-06-07 18:40:55 UTC
Revision ID: james.westby@ubuntu.com-20060607184055-0bk57l947rasf3t5

Tags: 6.5-1ubuntu1.1

* SECURITY UPDATE: Arbitrary command execution as www-data.
* Add debian/patches/1003_disable_configdir.patch:
  - Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
    variable is set. This prevents users from putting a crafted config (with
    pipe in LogFile parameter) to e. g. /tmp and update the statistics
    through the browser.
  - Patch ported from Debian's 6.5-2.
  - CVE-2006-2644

files added:
debian/patches/1003_disable_configdir.patch

files modified:
debian/changelog

debian/patches/series

Show diffs side-by-side

added added

removed removed

debian/changelog

1

awstats (6.5-1ubuntu1.1) dapper-security; urgency=low

2

3

* SECURITY UPDATE: Arbitrary command execution as www-data.

4

* Add debian/patches/1003_disable_configdir.patch:

5

- Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env

6

variable is set. This prevents users from putting a crafted config (with

7

pipe in LogFile parameter) to e. g. /tmp and update the statistics

8

through the browser.

9

- Patch ported from Debian's 6.5-2.

10

- CVE-2006-2644

11

12

-- Martin Pitt <martin.pitt@ubuntu.com> Wed, 7 Jun 2006 18:40:55 +0200

13

1

14

awstats (6.5-1ubuntu1) dapper; urgency=low

2

15

3

16

* SECURITY UPDATE: Cross-site scripting.

Older »