-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 13 Feb 2005 14:02:07 -0500 Source: awstats Binary: awstats Architecture: source all Version: 6.2-1.2 Distribution: unstable Urgency: high Maintainer: Jonas Smedegaard <dr@jones.dk> Changed-By: Joey Hess <joeyh@debian.org> Description: awstats - powerful and featureful web server log analyzer Closes: 294488 Changes: awstats (6.2-1.2) unstable; urgency=HIGH . * NMU with the following patch from Ubuntu. Closes: #294488 * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which are defined by the remote user) to prevent execution of arbitrary shell commands through shell metacharacters. * References: CAN-2005-0362 for *plugin* variables CAN-2005-0363 for the config variable Files: d05646bb703b728383f0a7e264df0d4f 581 web optional awstats_6.2-1.2.dsc 194070c529a1f7bf4861d8c06ac0f2f3 14616 web optional awstats_6.2-1.2.diff.gz 00fa26d7a4dd2f055940df6fc3bc8fbc 658660 web optional awstats_6.2-1.2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCD6TG2tp5zXiKP0wRAkNfAKCEXNb5hKzlKincx8wicfHqOUDUfACeMGuC VoIs+GHMHkU8zFAUDS6jXz4= =yh+5 -----END PGP SIGNATURE----- Accepted: awstats_6.2-1.2.diff.gz to pool/main/a/awstats/awstats_6.2-1.2.diff.gz awstats_6.2-1.2.dsc to pool/main/a/awstats/awstats_6.2-1.2.dsc awstats_6.2-1.2_all.deb to pool/main/a/awstats/awstats_6.2-1.2_all.deb -- To UNSUBSCRIBE, email to debian-devel-changes-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org