View Bazaar branches
Get this repository:
git clone https://git.launchpad.net/ubuntu/+source/awstats
Members of Ubuntu Server Dev import team can upload to this repository. Log in for directions.

Branches

Name Last Modified Last Commit
ubuntu/edgy 2006-10-09 15:03:55 UTC 2006-10-09
Import patches-unapplied version 6.5-2ubuntu1 to ubuntu/edgy

Author: Kees Cook
Author Date: 2006-10-06 21:29:13 UTC

Import patches-unapplied version 6.5-2ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: a25cbcee213a4cedbcbd7e46a689e94438ae64e8

New changelog entries:
  * SECURITY UPDATE: Fix path exposure on error.
  * Add 'debian/patches/1004_backport_6.6_xss-fixes.patch' to correct URL
    decoding and adjust error message reports. Backported from upstream.
  * References
    CVE-2006-3682
    http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

applied/ubuntu/edgy-devel 2006-10-09 15:03:55 UTC 2006-10-09
Import patches-applied version 6.5-2ubuntu1 to applied/ubuntu/edgy

Author: Kees Cook
Author Date: 2006-10-06 21:29:13 UTC

Import patches-applied version 6.5-2ubuntu1 to applied/ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: cdacf5b6b84a2ffd4f60a49e014b7216d9207698
Unapplied parent: c86bd4fb06c19f25b5b78740db312a2009e75089

New changelog entries:
  * SECURITY UPDATE: Fix path exposure on error.
  * Add 'debian/patches/1004_backport_6.6_xss-fixes.patch' to correct URL
    decoding and adjust error message reports. Backported from upstream.
  * References
    CVE-2006-3682
    http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

applied/ubuntu/edgy 2006-10-09 15:03:55 UTC 2006-10-09
Import patches-applied version 6.5-2ubuntu1 to applied/ubuntu/edgy

Author: Kees Cook
Author Date: 2006-10-06 21:29:13 UTC

Import patches-applied version 6.5-2ubuntu1 to applied/ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: cdacf5b6b84a2ffd4f60a49e014b7216d9207698
Unapplied parent: c86bd4fb06c19f25b5b78740db312a2009e75089

New changelog entries:
  * SECURITY UPDATE: Fix path exposure on error.
  * Add 'debian/patches/1004_backport_6.6_xss-fixes.patch' to correct URL
    decoding and adjust error message reports. Backported from upstream.
  * References
    CVE-2006-3682
    http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

ubuntu/edgy-devel 2006-10-09 15:03:55 UTC 2006-10-09
Import patches-unapplied version 6.5-2ubuntu1 to ubuntu/edgy

Author: Kees Cook
Author Date: 2006-10-06 21:29:13 UTC

Import patches-unapplied version 6.5-2ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: a25cbcee213a4cedbcbd7e46a689e94438ae64e8

New changelog entries:
  * SECURITY UPDATE: Fix path exposure on error.
  * Add 'debian/patches/1004_backport_6.6_xss-fixes.patch' to correct URL
    decoding and adjust error message reports. Backported from upstream.
  * References
    CVE-2006-3682
    http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

ubuntu/dapper 2006-05-22 20:06:45 UTC 2006-05-22
Import patches-unapplied version 6.5-1ubuntu1 to ubuntu/dapper

Author: Martin Pitt
Author Date: 2006-05-22 19:51:34 UTC

Import patches-unapplied version 6.5-1ubuntu1 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: cf0f4d31ad5822e3284ed550fbc8df019aa889bd

New changelog entries:
  * SECURITY UPDATE: Cross-site scripting.
  * debian/patches/1001_sanitize_more.patch:
    - Use the Sanitize function to filter out arbitrary HTML from 'diricons'
      parameter (analoguous to CVE-2006-1945, which is already fixed in this
      version).
    - Sanitize MigrateStats parameter (XSS if statistics updates are enabled).
      [CVE-2006-2237]
    - Patch from upstream CVS, taken from Debian's 6.5-2 version.

applied/ubuntu/dapper 2006-05-22 20:06:45 UTC 2006-05-22
Import patches-applied version 6.5-1ubuntu1 to applied/ubuntu/dapper

Author: Martin Pitt
Author Date: 2006-05-22 19:51:34 UTC

Import patches-applied version 6.5-1ubuntu1 to applied/ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 12b5897995c2f37b0a1ae6ebc3ae541d18d4cd02
Unapplied parent: acc2c928e3a51eb1f56a6ebffa7b4ec7fc8e163f

New changelog entries:
  * SECURITY UPDATE: Cross-site scripting.
  * debian/patches/1001_sanitize_more.patch:
    - Use the Sanitize function to filter out arbitrary HTML from 'diricons'
      parameter (analoguous to CVE-2006-1945, which is already fixed in this
      version).
    - Sanitize MigrateStats parameter (XSS if statistics updates are enabled).
      [CVE-2006-2237]
    - Patch from upstream CVS, taken from Debian's 6.5-2 version.

ubuntu/breezy 2005-12-21 04:42:39 UTC 2005-12-21
Import patches-unapplied version 6.4-1ubuntu1 to ubuntu/breezy

Author: Martin Pitt
Author Date: 2005-08-11 16:23:09 UTC

Import patches-unapplied version 6.4-1ubuntu1 to ubuntu/breezy

Imported using git-ubuntu import.

Changelog parent: 40a273008e6bcdb9c9e7d560b4a0778cdcafb494

New changelog entries:
  * SECURITY UPDATE: Fix arbitrary command injection.
  * Add debian/patches/03_remove_eval.patch:
    - Replace all eval() calls for dynamically constructed function names with
      soft references. This fixes arbitrary command injection with specially
      crafted referer URLs which contain Perl code.
    - Patch taken from upstream CVS, and contained in 6.5 release.
  * References:
    CAN-2005-1527
    http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities
  * New upstream release.
  * Redirect errors of offline scripts to STDERR. Closes: bug#296435
    (tanks to Charles Fry <debian@frogcircus.org>).
  * Fix typo in README.Debian (thanks to Emmanuel Lacour
    <elacour@easter-eggs.com>).

applied/ubuntu/breezy 2005-12-21 04:42:39 UTC 2005-12-21
Import patches-applied version 6.4-1ubuntu1 to applied/ubuntu/breezy

Author: Martin Pitt
Author Date: 2005-08-11 16:23:09 UTC

Import patches-applied version 6.4-1ubuntu1 to applied/ubuntu/breezy

Imported using git-ubuntu import.

Changelog parent: 6e13fddfa9a8c0c5bb99fa6a03be728526fa3949
Unapplied parent: b5e16305c68808942299fb0bc1e6b4e46a99aec6

New changelog entries:
  * SECURITY UPDATE: Fix arbitrary command injection.
  * Add debian/patches/03_remove_eval.patch:
    - Replace all eval() calls for dynamically constructed function names with
      soft references. This fixes arbitrary command injection with specially
      crafted referer URLs which contain Perl code.
    - Patch taken from upstream CVS, and contained in 6.5 release.
  * References:
    CAN-2005-1527
    http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities
  * New upstream release.
  * Redirect errors of offline scripts to STDERR. Closes: bug#296435
    (tanks to Charles Fry <debian@frogcircus.org>).
  * Fix typo in README.Debian (thanks to Emmanuel Lacour
    <elacour@easter-eggs.com>).

applied/ubuntu/hoary 2005-12-20 20:39:56 UTC 2005-12-20
Import patches-applied version 6.3-1 to applied/ubuntu/hoary

Author: Jonas Smedegaard
Author Date: 2005-02-05 16:13:48 UTC

Import patches-applied version 6.3-1 to applied/ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: ea76b1efec61fee087f753111756987d4e2fdea5
Unapplied parent: 40a273008e6bcdb9c9e7d560b4a0778cdcafb494

New changelog entries:
  * New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
    A. de Oliveira <naoliv@biolinux.df.ibilce.unesp.br>).
    + Includes upstream fix for security bug fixed in 6.2-1.1.
    + Includes upstream fix for most of security bug fixed in 6.2-1.1.
  * Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
    Schulze <joey@infodrom.org>, Martin Pitt <mpitt@debian.org>, Ubuntu,
    Joey Hess <joeyh@debian.org>, Frank Lichtenheld <djpig@debian.org> and Steve
    Langasek <vorlon@debian.org>).
  * Include patch for last parts of security bug fixed in 6.2-1.1:
    01_sanitize_more.patch.
  * Patch (02) to include snapshot of recent development:
    + Fix security hole that allowed a user to read log file content
      even when plugin rawlog was not enabled.
    + Fix a possible use of AWStats for a DoS attack.
    + configdir option was broken on windows servers.
    + DebugMessages is by default set to 0 for security reasons.
    + Minor fixes.
  * References:
    CAN-2005-0435 - read server logs via loadplugin and pluginmode
    CAN-2005-0436 - code injection via PluginMode
    CAN-2005-0437 - directory traversal via loadplugin
    CAN-2005-0438 - information leak via debug
  * NMU with the following patch from Ubuntu. Closes: #294488
  * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
  * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
    "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which
    are defined by the remote user) to prevent execution of arbitrary shell
    commands through shell metacharacters.
  * References:
    CAN-2005-0362 for *plugin* variables
    CAN-2005-0363 for the config variable
  * NMU with the following patch from Ubuntu. Closes: #291064
  * SECURITY UPDATE: fix arbitrary command execution
  * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from
    the "configdir" parameter and the SiteConfig variable to prevent execution
    of arbitrary shell commands when open()'ing them.
  * References:
    CAN-2005-0116
    http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
  * New upstream release. Closes: bug#282665.
  * Strip leading article from short description to please lintian.
  * Add upstream website URL to long description.
  * Fix watch file.
  * Use generic (but unofficial) buildinfo cdbs snippet.
  * Recommend libnet-xwhois-perl. Closes: bug#261190 (thanks to Thilo
    Pfennig <tp@alternativ.net>).
  * No longer avoid GIFs - the evil patent has expired. This closes:
    bug#260345 (thanks to Charles Lepple <clepple+debian@ghz.cc>).
  * Set urgency=high to hopefully get this into sarge in time (the
    changes are small but valuable).
  * Correct minor typos in README.Debian.
  * Add new section to README.Debian: "Quick'n'dirty setup".
  * Add example apache config snippet.
  * Correct a build target so configuration file is properly included
    (arrgh!). This also closes: Bug#258883 (thanks to Raphael Hertzog
    <hertzog@debian.org>).
  * New ustream release. Closes: Bug#251620, #257248 (except not ful-
    filling the wish of updating to 6.2 not yet stable upstream).
    + Misspelling ("trafic") corrected. Closes: Bug#240975 (thanks to
    Cristopher Price <cprice@cs-home.com>).
  * Add new XSLT files as example files.
  * Make sure among example files that only scripts and direactories are
    executable.

ubuntu/hoary 2005-12-20 20:39:56 UTC 2005-12-20
Import patches-unapplied version 6.3-1 to ubuntu/hoary

Author: Jonas Smedegaard
Author Date: 2005-02-05 16:13:48 UTC

Import patches-unapplied version 6.3-1 to ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: fe52c1209ff873b23107da3425567dd31a23c581

New changelog entries:
  * New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
    A. de Oliveira <naoliv@biolinux.df.ibilce.unesp.br>).
    + Includes upstream fix for security bug fixed in 6.2-1.1.
    + Includes upstream fix for most of security bug fixed in 6.2-1.1.
  * Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
    Schulze <joey@infodrom.org>, Martin Pitt <mpitt@debian.org>, Ubuntu,
    Joey Hess <joeyh@debian.org>, Frank Lichtenheld <djpig@debian.org> and Steve
    Langasek <vorlon@debian.org>).
  * Include patch for last parts of security bug fixed in 6.2-1.1:
    01_sanitize_more.patch.
  * Patch (02) to include snapshot of recent development:
    + Fix security hole that allowed a user to read log file content
      even when plugin rawlog was not enabled.
    + Fix a possible use of AWStats for a DoS attack.
    + configdir option was broken on windows servers.
    + DebugMessages is by default set to 0 for security reasons.
    + Minor fixes.
  * References:
    CAN-2005-0435 - read server logs via loadplugin and pluginmode
    CAN-2005-0436 - code injection via PluginMode
    CAN-2005-0437 - directory traversal via loadplugin
    CAN-2005-0438 - information leak via debug
  * NMU with the following patch from Ubuntu. Closes: #294488
  * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
  * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
    "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which
    are defined by the remote user) to prevent execution of arbitrary shell
    commands through shell metacharacters.
  * References:
    CAN-2005-0362 for *plugin* variables
    CAN-2005-0363 for the config variable
  * NMU with the following patch from Ubuntu. Closes: #291064
  * SECURITY UPDATE: fix arbitrary command execution
  * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from
    the "configdir" parameter and the SiteConfig variable to prevent execution
    of arbitrary shell commands when open()'ing them.
  * References:
    CAN-2005-0116
    http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
  * New upstream release. Closes: bug#282665.
  * Strip leading article from short description to please lintian.
  * Add upstream website URL to long description.
  * Fix watch file.
  * Use generic (but unofficial) buildinfo cdbs snippet.
  * Recommend libnet-xwhois-perl. Closes: bug#261190 (thanks to Thilo
    Pfennig <tp@alternativ.net>).
  * No longer avoid GIFs - the evil patent has expired. This closes:
    bug#260345 (thanks to Charles Lepple <clepple+debian@ghz.cc>).
  * Set urgency=high to hopefully get this into sarge in time (the
    changes are small but valuable).
  * Correct minor typos in README.Debian.
  * Add new section to README.Debian: "Quick'n'dirty setup".
  * Add example apache config snippet.
  * Correct a build target so configuration file is properly included
    (arrgh!). This also closes: Bug#258883 (thanks to Raphael Hertzog
    <hertzog@debian.org>).
  * New ustream release. Closes: Bug#251620, #257248 (except not ful-
    filling the wish of updating to 6.2 not yet stable upstream).
    + Misspelling ("trafic") corrected. Closes: Bug#240975 (thanks to
    Cristopher Price <cprice@cs-home.com>).
  * Add new XSLT files as example files.
  * Make sure among example files that only scripts and direactories are
    executable.

applied/ubuntu/warty-security 2005-12-20 20:08:00 UTC 2005-12-20
Import patches-applied version 6.0-4ubuntu0.2 to applied/ubuntu/warty-security

Author: Martin Pitt
Author Date: 2005-02-11 12:07:58 UTC

Import patches-applied version 6.0-4ubuntu0.2 to applied/ubuntu/warty-security

Imported using git-ubuntu import.

Changelog parent: ea76b1efec61fee087f753111756987d4e2fdea5
Unapplied parent: 67676e46b76b387fcc5f10bb5771632cdbc00417

New changelog entries:
  * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
  * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
    "config", "logfile", "pluginmode", "loadplugin", and "noloadplugin"
    parameters (which are defined by the remote user) to prevent execution of
    arbitrary shell commands through shell metacharacters.
  * References:
    similar to CAN-2005-0116
    http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf
  * SECURITY UPDATE: fix arbitrary command execution
  * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from
    the "configdir" parameter and the SiteConfig variable to prevent execution
    of arbitrary shell commands when open()'ing them.
  * References:
    CAN-2005-0116
    http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities

applied/ubuntu/warty-devel 2005-12-20 20:08:00 UTC 2005-12-20
Import patches-applied version 6.0-4ubuntu0.2 to applied/ubuntu/warty-security

Author: Martin Pitt
Author Date: 2005-02-11 12:07:58 UTC

Import patches-applied version 6.0-4ubuntu0.2 to applied/ubuntu/warty-security

Imported using git-ubuntu import.

Changelog parent: ea76b1efec61fee087f753111756987d4e2fdea5
Unapplied parent: 67676e46b76b387fcc5f10bb5771632cdbc00417

New changelog entries:
  * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
  * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
    "config", "logfile", "pluginmode", "loadplugin", and "noloadplugin"
    parameters (which are defined by the remote user) to prevent execution of
    arbitrary shell commands through shell metacharacters.
  * References:
    similar to CAN-2005-0116
    http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf
  * SECURITY UPDATE: fix arbitrary command execution
  * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from
    the "configdir" parameter and the SiteConfig variable to prevent execution
    of arbitrary shell commands when open()'ing them.
  * References:
    CAN-2005-0116
    http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities

ubuntu/warty-devel 2005-12-20 20:08:00 UTC 2005-12-20
Import patches-unapplied version 6.0-4ubuntu0.2 to ubuntu/warty-security

Author: Martin Pitt
Author Date: 2005-02-11 12:07:58 UTC

Import patches-unapplied version 6.0-4ubuntu0.2 to ubuntu/warty-security

Imported using git-ubuntu import.

Changelog parent: fe52c1209ff873b23107da3425567dd31a23c581

New changelog entries:
  * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
  * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
    "config", "logfile", "pluginmode", "loadplugin", and "noloadplugin"
    parameters (which are defined by the remote user) to prevent execution of
    arbitrary shell commands through shell metacharacters.
  * References:
    similar to CAN-2005-0116
    http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf
  * SECURITY UPDATE: fix arbitrary command execution
  * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from
    the "configdir" parameter and the SiteConfig variable to prevent execution
    of arbitrary shell commands when open()'ing them.
  * References:
    CAN-2005-0116
    http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities

ubuntu/warty-security 2005-12-20 20:08:00 UTC 2005-12-20
Import patches-unapplied version 6.0-4ubuntu0.2 to ubuntu/warty-security

Author: Martin Pitt
Author Date: 2005-02-11 12:07:58 UTC

Import patches-unapplied version 6.0-4ubuntu0.2 to ubuntu/warty-security

Imported using git-ubuntu import.

Changelog parent: fe52c1209ff873b23107da3425567dd31a23c581

New changelog entries:
  * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
  * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
    "config", "logfile", "pluginmode", "loadplugin", and "noloadplugin"
    parameters (which are defined by the remote user) to prevent execution of
    arbitrary shell commands through shell metacharacters.
  * References:
    similar to CAN-2005-0116
    http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf
  * SECURITY UPDATE: fix arbitrary command execution
  * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from
    the "configdir" parameter and the SiteConfig variable to prevent execution
    of arbitrary shell commands when open()'ing them.
  * References:
    CAN-2005-0116
    http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities

ubuntu/warty 2005-12-20 14:18:07 UTC 2005-12-20
Import patches-unapplied version 6.0-4 to ubuntu/warty

Author: Jonas Smedegaard
Author Date: 2004-05-05 03:12:07 UTC

Import patches-unapplied version 6.0-4 to ubuntu/warty

Imported using git-ubuntu import.

applied/ubuntu/warty 2005-12-20 14:18:07 UTC 2005-12-20
Import patches-applied version 6.0-4 to applied/ubuntu/warty

Author: Jonas Smedegaard
Author Date: 2004-05-05 03:12:07 UTC

Import patches-applied version 6.0-4 to applied/ubuntu/warty

Imported using git-ubuntu import.

Unapplied parent: fe52c1209ff873b23107da3425567dd31a23c581

201216 of 216 results

Other repositories

Name Last Modified
lp:ubuntu/+source/awstats 2018-10-31
lp:~ahasenack/ubuntu/+source/awstats 2018-01-08
12 of 2 results
You can't create new repositories for awstats in Ubuntu.