Accepted awstats 6.4-1sarge1 (source all)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Nov 2005 17:23:56 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.4-1sarge1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 322591
Changes:
awstats (6.4-1sarge1) stable-security; urgency=high
.
[ Charles Fry ]
* SECURITY UPDATE: Fix arbitrary command injection. (Closes: #322591)
Thanks to Martin Pitt for reporting the issue and providing the
patch.
* Add debian/patches/03_remove_eval.patch:
- Replace all eval() calls for dynamically constructed function
names with soft references. This fixes arbitrary command injection
with specially crafted referer URLs which contain Perl code.
- Patch taken from upstream CVS, and contained in 6.5 release.
* References:
CAN-2005-1527
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities
.
[ Jonas Smedegaard ]
* Adjust distribution.
Files:
82449cbf170952a0e5d31648c7943656 589 web optional awstats_6.4-1sarge1.dsc
056e6fb0c7351b17fe5bbbe0aa1297b1 918435 web optional awstats_6.4.orig.tar.gz
c4efeefcab00fdda3c53e74e32cc0aab 18257 web optional awstats_6.4-1sarge1.diff.gz
ed12fcb3a2a00b4f440dc9091a2ca78d 728430 web optional awstats_6.4-1sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDciqvn7DbMsAkQLgRAs+QAJ0bbvOWdtFJoAU7MH16VzgUBjhQ/QCfYUMv
Yj8+aH2NkNCiaXD3wLiT5H0=
=R9YJ
-----END PGP SIGNATURE-----
Accepted:
awstats_6.4-1sarge1.diff.gz
to pool/main/a/awstats/awstats_6.4-1sarge1.diff.gz
awstats_6.4-1sarge1.dsc
to pool/main/a/awstats/awstats_6.4-1sarge1.dsc
awstats_6.4-1sarge1_all.deb
to pool/main/a/awstats/awstats_6.4-1sarge1_all.deb
Reply to: