Branches for Hoary

Author: Jonas Smedegaard
Revision Date: 2005-02-05 17:13:48 UTC

* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
  A. de Oliveira <naoliv@biolinux.df.ibilce.unesp.br>).
  + Includes upstream fix for security bug fixed in 6.2-1.1.
  + Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
  Schulze <joey@infodrom.org>, Martin Pitt <mpitt@debian.org>, Ubuntu,
  Joey Hess <joeyh@debian.org>, Frank Lichtenheld <djpig@debian.org> and Steve
  Langasek <vorlon@debian.org>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
  01_sanitize_more.patch.
* Patch (02) to include snapshot of recent development:
  + Fix security hole that allowed a user to read log file content
    even when plugin rawlog was not enabled.
  + Fix a possible use of AWStats for a DoS attack.
  + configdir option was broken on windows servers.
  + DebugMessages is by default set to 0 for security reasons.
  + Minor fixes.
* References:
  CAN-2005-0435 - read server logs via loadplugin and pluginmode
  CAN-2005-0436 - code injection via PluginMode
  CAN-2005-0437 - directory traversal via loadplugin
  CAN-2005-0438 - information leak via debug

Author: Kees Cook
Revision Date: 2006-10-05 10:25:12 UTC

* SECURITY UPDATE: Fix XSS vulnerability and full path exposure.
* Add 'debian/patches/05_backport_6.6_xss-fixes.patch' to filter XSS and
  adjust error message reports. Backported from upstream changes.
* References
  CVE-2006-3681 CVE-2006-3682
  http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871