Author: Sergey B Kirpichev
Revision Date: 2015-07-27 13:56:07 UTC

* Imported Upstream version 7.4+dfsg
* Remove patches, applied by upstream
* Refresh patches
* Adopt debian/awstats.docs for new README name
* Update installation instructions (Closes: #756501)
* Use the upstream version in the path name for awgraphapplet.jar

Author: Sergey B Kirpichev
Revision Date: 2015-07-27 13:56:07 UTC

* Imported Upstream version 7.4+dfsg
* Remove patches, applied by upstream
* Refresh patches
* Adopt debian/awstats.docs for new README name
* Update installation instructions (Closes: #756501)
* Use the upstream version in the path name for awgraphapplet.jar

Author: Sergey B Kirpichev
Revision Date: 2013-11-16 14:57:22 UTC

* Repackage upstream sources with uscan
* Adopt README.source for new release
* Imported Upstream version 7.2+dfsg
* Refresh patches
* Upgrade licences (upstream and debian/) to GPL v3+.
* Fix lintian error: vcs-field-not-canonical

Author: Sergey B Kirpichev
Revision Date: 2013-11-16 14:57:22 UTC

* Repackage upstream sources with uscan
* Adopt README.source for new release
* Imported Upstream version 7.2+dfsg
* Refresh patches
* Upgrade licences (upstream and debian/) to GPL v3+.
* Fix lintian error: vcs-field-not-canonical

Author: Sergey B Kirpichev
Revision Date: 2013-11-16 14:57:22 UTC

* Repackage upstream sources with uscan
* Adopt README.source for new release
* Imported Upstream version 7.2+dfsg
* Refresh patches
* Upgrade licences (upstream and debian/) to GPL v3+.
* Fix lintian error: vcs-field-not-canonical

Author: Sergey B Kirpichev
Revision Date: 2013-11-16 14:57:22 UTC

* Repackage upstream sources with uscan
* Adopt README.source for new release
* Imported Upstream version 7.2+dfsg
* Refresh patches
* Upgrade licences (upstream and debian/) to GPL v3+.
* Fix lintian error: vcs-field-not-canonical

Author: Sergey B Kirpichev
Revision Date: 2013-03-29 01:06:00 UTC

New upstream release (Closes: #703596)

Author: Sergey B Kirpichev
Revision Date: 2013-03-29 01:06:00 UTC

New upstream release (Closes: #703596)

Author: Sergey B Kirpichev
Revision Date: 2013-02-22 19:33:53 UTC

* Ensure that backwards compatible Java bytecode is built (Closes:
  #687414)
* Add option to easy switch off awstats crontabs. Install symlink for
  awstats binary to /usr/bin. Closes: #641481.
* Drop deprecated DMUA flag
* Link missing mime-icons to notavailable.png (Closes: #690379)
* Fix lintian unused-license-paragraph-in-dep5-copyright (Add comment
  for Files: wwwroot/icon/mime/*)
* Fix lintian copyright-refers-to-symlink-license (GPL -> GPL-1+)
* Install manpage
* Imported Upstream version 7.1~dfsg
* Update patches for new release
* Fix executable bit on awstats.pl
* Bump up Standards-Version (to 3.9.4)
* Change license for wwwroot/icon/mime/* icons (Closes: #698921)
* Update watch file for 7.x
* Add debian/icons/firefox.png to include-binaries
* Update DEB_UPSTREAM_TARBALL* stuff in rules

Author: Sergey B Kirpichev
Revision Date: 2013-02-22 19:33:53 UTC

* Ensure that backwards compatible Java bytecode is built (Closes:
  #687414)
* Add option to easy switch off awstats crontabs. Install symlink for
  awstats binary to /usr/bin. Closes: #641481.
* Drop deprecated DMUA flag
* Link missing mime-icons to notavailable.png (Closes: #690379)
* Fix lintian unused-license-paragraph-in-dep5-copyright (Add comment
  for Files: wwwroot/icon/mime/*)
* Fix lintian copyright-refers-to-symlink-license (GPL -> GPL-1+)
* Install manpage
* Imported Upstream version 7.1~dfsg
* Update patches for new release
* Fix executable bit on awstats.pl
* Bump up Standards-Version (to 3.9.4)
* Change license for wwwroot/icon/mime/* icons (Closes: #698921)
* Update watch file for 7.x
* Add debian/icons/firefox.png to include-binaries
* Update DEB_UPSTREAM_TARBALL* stuff in rules

Author: James Page
Revision Date: 2012-09-12 14:55:39 UTC

d/build.xml: Explicitly set source/target == 1.5 to ensure backwards
compatible bytecode is built (LP: #1049674).

Author: Sergey B Kirpichev
Revision Date: 2011-12-28 15:33:22 UTC

* Add MAILTO=root to awstats.cron.d (Closes: #652665, thanks to
  Dominique Brazziel)
* Add todo for #302210
* 1019_allow_frame_resize.patch: Allow resize of mainleft/right frames
  (Closes: #293218)

Author: Sergey B Kirpichev
Revision Date: 2011-04-06 03:31:45 UTC

[ Sergey B Kirpichev ]
* Process the /etc/awstats/awstats.conf file in
  update.sh/buildstatic.sh only if it's exists (Closes: #613524)
* Allow change $NBOFLASTUPDATELOOKUPTOSAVE via CGI/CLI arguments
  (Closes: #600225).

[ Jonas Smedegaard ]
* Remove myself as uploader. Thanks for all the fish.

[ Sergey B Kirpichev ]
* Drop Debian AWStats Team from Maintainer's

Author: James Page
Revision Date: 2011-01-27 15:03:47 UTC

Fix bashism in buildstatic.sh (LP: #707365)

Author: James Page
Revision Date: 2011-01-27 15:05:27 UTC

Fix bashism in buildstatic.sh (LP: #707365)

Author: James Page
Revision Date: 2011-01-27 15:03:47 UTC

Fix bashism in buildstatic.sh (LP: #707365)

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:05:56 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:08:05 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:00:42 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:05:56 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:08:05 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:42:12 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:42:12 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:39:15 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Marc Deslauriers
Revision Date: 2011-01-11 17:39:15 UTC

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

Author: Jonas Smedegaard
Revision Date: 2010-12-24 00:05:07 UTC

[ Sergey B Kirpichev ]
* Bump up Standards-Version to 3.9.1.
* Remove examples/staticpages.sh.
* Take sucurity fixes from upstream CVS:
  - CVE-2010-4369: patch 0009 (closes directory traversal vulnerability via
    crafted LoadPlugin directory).
  - CVE-2010-4367(and CVE-2010-4368): update patch 1002 (sanitize configdir,
    disable overwriting of configdir parameter in cgi mode).
  Closes: bug#606263.

[ Jonas Smedegaard ]
* Unfuzz patches.
* Ease building with git-buildpackage:
  + Add dpkg-source local-options.
  + Suppress .pc dir.

Author: Jonas Smedegaard
Revision Date: 2010-05-19 13:53:50 UTC

[ Sergey B Kirpichev ]
* Show error messages from cron jobs.
  Closes: bug#580672, thanks to Ken Neighbors.
* Add option to disable nightly generation of static html reports.
  Closes: bug#580692, thanks to Ken Neighbors.
* Option to use "nice" to lower the priority of cron scripts.
  Closes: bug#580693, thanks to Ken Neighbors.
* Set default language (en) for static reports generation
* Cosmetic improvements to cron scripts.
  Closes: bug#580704.
* Recognize method/protocol RTSP in uppercase.
  Closes: bug#350601, thanks to Lee Maguire.
* Report permissions problem while reading awstats.custom.conf.
  Closes: bug#572353, thanks to Ken Neighbors.

[ Jonas Smedegaard ]
* Reverse test logic when sourcing /etc/default/awstats to not fail if
  missing.
* Respect TMPDIR for temporary files (i.e. use mktemp --tmpdir).
* Update patches:
  + Drop (unapplied) patch 0011: applied upstream at some point in the
    past.
  + Unfuzz (unapplied) patch 0006.
  + Refresh patches 0006, 1015 and 1016 with compacting quilt options
    --no-index --no-timestamps -pab.

Author: Chuck Short
Revision Date: 2009-09-11 13:57:57 UTC

debian/patches/fix-awstats-spelling.patch: Fix spelling errors.
Taken from upstream (LP: #358715)

Author: Chuck Short
Revision Date: 2009-09-11 13:57:57 UTC

debian/patches/fix-awstats-spelling.patch: Fix spelling errors.
Taken from upstream (LP: #358715)

Author: Kees Cook
Revision Date: 2009-05-09 13:10:26 UTC

Add 1011_geoipfree.patch: fix geoipfree warnings backported
from Debian (LP: #336554, debian bug 512373).

Author: Kees Cook
Revision Date: 2009-05-09 13:10:26 UTC

Add 1011_geoipfree.patch: fix geoipfree warnings backported
from Debian (LP: #336554, debian bug 512373).

Author: Nico Golde
Revision Date: 2008-12-10 13:05:43 UTC

* Non-maintainer upload by the Security Team.
* Strip '"' characters during URL decoding, fixing a cross-site
  scripting attack (CVE-2008-3714; CVE-2008-5080; Closes: #495432).

Author: Kees Cook
Revision Date: 2008-12-03 11:16:02 UTC

* SECURITY UPDATE: XSS via quotes in the "config" parameter (CVE-2008-3714).
  - 1006_quote_xss.patch: upstream fixes, thanks to Florian Weimer.

Author: Kees Cook
Revision Date: 2008-12-03 11:16:02 UTC

* SECURITY UPDATE: XSS via quotes in the "config" parameter (CVE-2008-3714).
  - 1006_quote_xss.patch: upstream fixes, thanks to Florian Weimer.

Author: Andreas Henriksson
Revision Date: 2008-08-17 13:54:04 UTC

Add debian/patches/0001_awstats69beta_xss.patch,
upstream security fix from 6.9 beta to fix XSS.
(Closes: #495432, upstream bug 2001151)

Author: Jonas Smedegaard
Revision Date: 2007-08-27 17:52:52 UTC

* New upstream release. Closes: bug#436572, thanks to Daniel Baumann.
* Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control.
* Fix standards-version in debian/control.in.
* Update CDBS tweaks:
  + Replace auto-update.mk with overloading buildcore.mk.
  + Check copyright strings in pre-build target (not clean target) to
    fix race condition.
  + Add upstream-tarball.mk to implement get-orig-source target.
  + Fix applying buildinfo only once.
  + Add debian/README.cdbs-tweaks and advertise it in debian/rules.
* Declare (and merge duplicate) build-dependencies in debian/rules.
  Declare all as Build-Depends (not Build-depends-Indep).
* Semi-auto-update debian/control:
    DEB_BUILD_OPTIONS=cdbs-autoupdate fakeroot debian/rules pre-build
* Update debian/copyright:
  + Include both copyright and licensing info verbatim.
  + Update to include the year 2007.
  + Refer explicitly to GPLv2.

Author: Kees Cook
Revision Date: 2008-12-03 11:22:58 UTC

* SECURITY UPDATE: XSS via quotes in the "config" parameter (CVE-2008-3714).
  - 1006_quote_xss.patch: upstream fixes, thanks to Florian Weimer.

Author: Kees Cook
Revision Date: 2008-12-03 11:22:58 UTC

* SECURITY UPDATE: XSS via quotes in the "config" parameter (CVE-2008-3714).
  - 1006_quote_xss.patch: upstream fixes, thanks to Florian Weimer.

Author: Charles Fry
Revision Date: 2007-02-10 11:11:02 UTC

New upstream release (Closes: #350987, #335865)

Author: Kees Cook
Revision Date: 2007-02-06 14:06:59 UTC

Add 'debian/patches/1005_logresolve-dates.patch': correct log parsing,
fixed in upstream 6.6 (Closes LP#51902).

Author: Kees Cook
Revision Date: 2006-10-06 14:29:13 UTC

* SECURITY UPDATE: Fix path exposure on error.
* Add 'debian/patches/1004_backport_6.6_xss-fixes.patch' to correct URL
  decoding and adjust error message reports. Backported from upstream.
* References
  CVE-2006-3682
  http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

Author: Martin Pitt
Revision Date: 2006-05-22 21:51:34 UTC

* SECURITY UPDATE: Cross-site scripting.
* debian/patches/1001_sanitize_more.patch:
  - Use the Sanitize function to filter out arbitrary HTML from 'diricons'
    parameter (analoguous to CVE-2006-1945, which is already fixed in this
    version).
  - Sanitize MigrateStats parameter (XSS if statistics updates are enabled).
    [CVE-2006-2237]
  - Patch from upstream CVS, taken from Debian's 6.5-2 version.

Author: Kees Cook
Revision Date: 2006-10-06 12:53:15 UTC

* SECURITY UPDATE: Fix XSS vulnerability and full path exposure.
* Add 'debian/patches/05_backport_6.6_xss-fixes.patch' to filter XSS and
  adjust error message reports. Backported from upstream changes.
* References
  CVE-2006-3681 CVE-2006-3682
  http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

Author: Martin Pitt
Revision Date: 2005-08-11 18:23:09 UTC

* SECURITY UPDATE: Fix arbitrary command injection.
* Add debian/patches/03_remove_eval.patch:
  - Replace all eval() calls for dynamically constructed function names with
    soft references. This fixes arbitrary command injection with specially
    crafted referer URLs which contain Perl code.
  - Patch taken from upstream CVS, and contained in 6.5 release.
* References:
  CAN-2005-1527
  http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities

Author: Kees Cook
Revision Date: 2006-10-05 10:25:12 UTC

* SECURITY UPDATE: Fix XSS vulnerability and full path exposure.
* Add 'debian/patches/05_backport_6.6_xss-fixes.patch' to filter XSS and
  adjust error message reports. Backported from upstream changes.
* References
  CVE-2006-3681 CVE-2006-3682
  http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

Author: Jonas Smedegaard
Revision Date: 2005-02-05 17:13:48 UTC

* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
  A. de Oliveira <naoliv@biolinux.df.ibilce.unesp.br>).
  + Includes upstream fix for security bug fixed in 6.2-1.1.
  + Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
  Schulze <joey@infodrom.org>, Martin Pitt <mpitt@debian.org>, Ubuntu,
  Joey Hess <joeyh@debian.org>, Frank Lichtenheld <djpig@debian.org> and Steve
  Langasek <vorlon@debian.org>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
  01_sanitize_more.patch.
* Patch (02) to include snapshot of recent development:
  + Fix security hole that allowed a user to read log file content
    even when plugin rawlog was not enabled.
  + Fix a possible use of AWStats for a DoS attack.
  + configdir option was broken on windows servers.
  + DebugMessages is by default set to 0 for security reasons.
  + Minor fixes.
* References:
  CAN-2005-0435 - read server logs via loadplugin and pluginmode
  CAN-2005-0436 - code injection via PluginMode
  CAN-2005-0437 - directory traversal via loadplugin
  CAN-2005-0438 - information leak via debug

Author: Martin Pitt
Revision Date: 2005-02-11 13:07:58 UTC

* SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
* wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
  "config", "logfile", "pluginmode", "loadplugin", and "noloadplugin"
  parameters (which are defined by the remote user) to prevent execution of
  arbitrary shell commands through shell metacharacters.
* References:
  similar to CAN-2005-0116
  http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf

Author: Jonas Smedegaard
Revision Date: 2004-05-05 05:12:07 UTC

Really fix bug#247265. Really closes: Bug#247265 (thanks to Edward
J. Shornock <ed@crazeecanuck.homelinux.net>).