* SECURITY UPDATE: Arbitrary command execution as www-data. * Add debian/patches/1003_disable_configdir.patch: - Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env variable is set. This prevents users from putting a crafted config (with pipe in LogFile parameter) to e. g. /tmp and update the statistics through the browser. - Patch ported from Debian's 6.5-2. - CVE-2006-2644