Ubuntu
awstats package

lp:ubuntu/dapper-security/awstats

  1. Dapper (6.06)
  2. dapper-security
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/dapper-security/awstats
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

10. By Marc Deslauriers

* SECURITY UPDATE: directory traversal via crafted LoadPlugin directory
  - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin
    name in wwwroot/cgi-bin/awstats.pl.
  - CVE-2010-4369

9. By Kees Cook

* SECURITY UPDATE: XSS via quotes in the "config" parameter (CVE-2008-3714).
  - 1006_quote_xss.patch: upstream fixes, thanks to Florian Weimer.

8. By Kees Cook

* SECURITY UPDATE: Fix path exposure on error.
* Add 'debian/patches/1004_backport_6.6_xss-fixes.patch' to correct URL
  decoding and adjust error message reports. Backported from upstream.
* References
  CVE-2006-3682
  http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.867&r2=1.871

7. By Martin Pitt

* SECURITY UPDATE: Arbitrary command execution as www-data.
* Add debian/patches/1003_disable_configdir.patch:
  - Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_CONFIG_DIR env
    variable is set. This prevents users from putting a crafted config (with
    pipe in LogFile parameter) to e. g. /tmp and update the statistics
    through the browser.
  - Patch ported from Debian's 6.5-2.
  - CVE-2006-2644

6. By Martin Pitt

* SECURITY UPDATE: Cross-site scripting.
* debian/patches/1001_sanitize_more.patch:
  - Use the Sanitize function to filter out arbitrary HTML from 'diricons'
    parameter (analoguous to CVE-2006-1945, which is already fixed in this
    version).
  - Sanitize MigrateStats parameter (XSS if statistics updates are enabled).
    [CVE-2006-2237]
  - Patch from upstream CVS, taken from Debian's 6.5-2 version.

5. By Jonas Smedegaard <email address hidden>

[ Jonas Smedegaard ]
* New upstream release.
  + Recognizes GNUTLS from lynx User-Agent header. Closes: #306130
    (thanks to Dmitry Baryshkov <email address hidden>).
  + Geoip shows countries for resolved hostnames. Closes: #317310
    (thanks to Administrator <email address hidden>).
* Simplify watch file to better work with parser used at qa.d.o.
* Improve cdbs rules:
  + Use quilt (rather than cdbs-internal patch system).
  + Add and enable new local snippets copyright-check and auto-update.
  + Update local snippet buildinfo (fixing its namespace).
* Auto-update debian/control:
  + Tightened build-dependency on cdbs.
  + Added build-dependencies on patchutils and quilt.
* Package is now team-maintained:
  + New maintainer: Debian AWStats Team
    <email address hidden>.
  + Add myself as uploader.

[ Charles Fry ]
* Use qa.debian.org SF redirector in watch file.
* Use Homepage instead of Website in debian/control, per DDR 6.2.4.
* Removed patches integrated upstream

4. By Jonas Smedegaard <email address hidden>

[ Charles Fry ]
* New co-maintainer.
* Suggest libgeo-ipfree-perl. Closes: #316126 (thanks to Gunnar Wolf
  <email address hidden>).
* Fixed README.Debian path to configure.pl. Closes: #313093 (thanks to
  Michael De Nil <email address hidden>).

[ Jonas Smedegaard ]
* Acknowledge NMU. Closes: bug#322591.
* Bump up watch version, and adjust the default command (we have moved
  to SubVerSion).
* Add proto to URL in long description.
* User newer chown syntax in postinst (thanks to lintian).

3. By Jonas Smedegaard <email address hidden>

* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
  A. de Oliveira <email address hidden>).
  + Includes upstream fix for security bug fixed in 6.2-1.1.
  + Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
  Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
  Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
  Langasek <email address hidden>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
  01_sanitize_more.patch.
* Patch (02) to include snapshot of recent development:
  + Fix security hole that allowed a user to read log file content
    even when plugin rawlog was not enabled.
  + Fix a possible use of AWStats for a DoS attack.
  + configdir option was broken on windows servers.
  + DebugMessages is by default set to 0 for security reasons.
  + Minor fixes.
* References:
  CAN-2005-0435 - read server logs via loadplugin and pluginmode
  CAN-2005-0436 - code injection via PluginMode
  CAN-2005-0437 - directory traversal via loadplugin
  CAN-2005-0438 - information leak via debug

2. By Jonas Smedegaard <email address hidden>

Really fix bug#247265. Really closes: Bug#247265 (thanks to Edward
J. Shornock <email address hidden>).

1. By Jonas Smedegaard <email address hidden>

Import upstream version 6.0

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/awstats
This branch contains Public information 
Everyone can see this information.

Subscribers