lp:ubuntu/hoary-security/awstats
- Get this branch:
- bzr branch lp:ubuntu/hoary-security/awstats
Branch merges
Branch information
Recent revisions
- 7. By Kees Cook
-
* SECURITY UPDATE: Fix XSS vulnerability and full path exposure.
* Add 'debian/patches/ 05_backport_ 6.6_xss- fixes.patch' to filter XSS and
adjust error message reports. Backported from upstream changes.
* References
CVE-2006-3681 CVE-2006-3682
http://awstats. cvs.sourceforge .net/awstats/ awstats/ wwwroot/ cgi-bin/ awstats. pl?r1=1. 867&r2= 1.871 - 6. By Martin Pitt
-
* SECURITY UPDATE: Arbitrary command execution as www-data.
* Add debian/patches/ 04_disable_ configdir. patch:
- Disable 'configdir' CGI parameter unless AWSTATS_ENABLE_ CONFIG_ DIR env
variable is set. This prevents users from putting a crafted config (with
pipe in LogFile parameter) to e. g. /tmp and update the statistics
through the browser.
- Patch ported from Debian's 6.5-2.
- CVE-2006-2644 - 5. By Martin Pitt
-
* SECURITY UPDATE: Cross-site scripting.
* debian/patches/ 01_sanitize_ more.patch:
- Use the Sanitize function to filter out arbitrary HTML from 'diricons'
parameter (analoguous to CVE-2006-1945, which is already fixed in this
version).
- Sanitize MigrateStats parameter (XSS if statistics updates are enabled).
[CVE-2006-2237]
- Patch from upstream CVS, taken from Debian's 6.5-2 version. - 4. By Martin Pitt
-
* SECURITY UPDATE: Fix arbitrary command injection.
* Add debian/patches/ 03_remove_ eval.patch:
- Replace all eval() calls for dynamically constructed function names with
soft references. This fixes arbitrary command injection with specially
crafted referer URLs which contain Perl code.
- Patch taken from upstream CVS, and contained in 6.5 release.
* References:
CAN-2005-1527
http://www.idefense. com/application /poi/display? id=290& type=vulnerabil ities - 3. By Jonas Smedegaard <email address hidden>
-
* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
A. de Oliveira <email address hidden>).
+ Includes upstream fix for security bug fixed in 6.2-1.1.
+ Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
Langasek <email address hidden>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
01_sanitize_more.patch.
* Patch (02) to include snapshot of recent development:
+ Fix security hole that allowed a user to read log file content
even when plugin rawlog was not enabled.
+ Fix a possible use of AWStats for a DoS attack.
+ configdir option was broken on windows servers.
+ DebugMessages is by default set to 0 for security reasons.
+ Minor fixes.
* References:
CAN-2005-0435 - read server logs via loadplugin and pluginmode
CAN-2005-0436 - code injection via PluginMode
CAN-2005-0437 - directory traversal via loadplugin
CAN-2005-0438 - information leak via debug - 2. By Jonas Smedegaard <email address hidden>
-
Really fix bug#247265. Really closes: Bug#247265 (thanks to Edward
J. Shornock <email address hidden>).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/awstats