lp:ubuntu/breezy-security/awstats

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

7. By Kees Cook on 2006-10-06

* SECURITY UPDATE: Fix XSS vulnerability and full path exposure.
* Add 'debian/patches/05_backport_6.6_xss-fixes.patch' to filter XSS and
  adjust error message reports. Backported from upstream changes.
* References
  CVE-2006-3681 CVE-2006-3682
  http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

6. By Martin Pitt on 2006-06-07

* SECURITY UPDATE: Arbitrary command execution as www-data.
* Add debian/patches/04_disable_configdir.patch:
  - Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
    variable is set. This prevents users from putting a crafted config (with
    pipe in LogFile parameter) to e. g. /tmp and update the statistics
    through the browser.
  - Patch ported from Debian's 6.5-2.
  - CVE-2006-2644

5. By Martin Pitt on 2006-05-22

* SECURITY UPDATE: Cross-site scripting.
* debian/patches/01_sanitize_more.patch:
  - Use the Sanitize function to filter out arbitrary HTML from 'diricons'
    parameter (analoguous to CVE-2006-1945, which is already fixed in this
    version).
  - Sanitize MigrateStats parameter (XSS if statistics updates are enabled).
    [CVE-2006-2237]
  - Patch from upstream CVS, taken from Debian's 6.5-2 version.

4. By Martin Pitt on 2005-08-11

* SECURITY UPDATE: Fix arbitrary command injection.
* Add debian/patches/03_remove_eval.patch:
  - Replace all eval() calls for dynamically constructed function names with
    soft references. This fixes arbitrary command injection with specially
    crafted referer URLs which contain Perl code.
  - Patch taken from upstream CVS, and contained in 6.5 release.
* References:
  CAN-2005-1527
  http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities

3. By Jonas Smedegaard <email address hidden> on 2005-02-05

* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
  A. de Oliveira <email address hidden>).
  + Includes upstream fix for security bug fixed in 6.2-1.1.
  + Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
  Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
  Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
  Langasek <email address hidden>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
  01_sanitize_more.patch.
* Patch (02) to include snapshot of recent development:
  + Fix security hole that allowed a user to read log file content
    even when plugin rawlog was not enabled.
  + Fix a possible use of AWStats for a DoS attack.
  + configdir option was broken on windows servers.
  + DebugMessages is by default set to 0 for security reasons.
  + Minor fixes.
* References:
  CAN-2005-0435 - read server logs via loadplugin and pluginmode
  CAN-2005-0436 - code injection via PluginMode
  CAN-2005-0437 - directory traversal via loadplugin
  CAN-2005-0438 - information leak via debug

2. By Jonas Smedegaard <email address hidden> on 2004-05-05

Really fix bug#247265. Really closes: Bug#247265 (thanks to Edward
J. Shornock <email address hidden>).

1. By Jonas Smedegaard <email address hidden> on 2004-05-05

Import upstream version 6.0