-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 4 Sep 2005 19:17:31 +0200 Source: awstats Binary: awstats Architecture: source all Version: 6.4-1.1 Distribution: unstable Urgency: high Maintainer: Jonas Smedegaard <dr@jones.dk> Changed-By: Frank Lichtenheld <djpig@debian.org> Description: awstats - powerful and featureful web server log analyzer Closes: 322591 Changes: awstats (6.4-1.1) unstable; urgency=high . * Non-maintainer upload * SECURITY UPDATE: Fix arbitrary command injection. (Closes: #322591) Thanks to Martin Pitt for reporting the issue and providing the patch. * Add debian/patches/03_remove_eval.patch: - Replace all eval() calls for dynamically constructed function names with soft references. This fixes arbitrary command injection with specially crafted referer URLs which contain Perl code. - Patch taken from upstream CVS, and contained in 6.5 release. * References: CAN-2005-1527 http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities Files: 3a3cca9f3b9283b5831945520ae5f740 581 web optional awstats_6.4-1.1.dsc dee1895775f5e27fdaca8c91e85c3c3c 18210 web optional awstats_6.4-1.1.diff.gz 3da4615e7576ea7f799c3e8cbf1c6b2f 728234 web optional awstats_6.4-1.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDGyyKQbn06FtxPfARAor0AKDNQd41HWvjLhWqpYDuozEk/D9djQCeMef/ 6trN9ngXsbYk7uimUKRVUo4= =H0sg -----END PGP SIGNATURE----- Accepted: awstats_6.4-1.1.diff.gz to pool/main/a/awstats/awstats_6.4-1.1.diff.gz awstats_6.4-1.1.dsc to pool/main/a/awstats/awstats_6.4-1.1.dsc awstats_6.4-1.1_all.deb to pool/main/a/awstats/awstats_6.4-1.1_all.deb -- To UNSUBSCRIBE, email to debian-devel-changes-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
