-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 9 Nov 2005 17:23:56 +0100 Source: awstats Binary: awstats Architecture: source all Version: 6.4-1sarge1 Distribution: stable-security Urgency: high Maintainer: Jonas Smedegaard <dr@jones.dk> Changed-By: Jonas Smedegaard <dr@jones.dk> Description: awstats - powerful and featureful web server log analyzer Closes: 322591 Changes: awstats (6.4-1sarge1) stable-security; urgency=high . [ Charles Fry ] * SECURITY UPDATE: Fix arbitrary command injection. (Closes: #322591) Thanks to Martin Pitt for reporting the issue and providing the patch. * Add debian/patches/03_remove_eval.patch: - Replace all eval() calls for dynamically constructed function names with soft references. This fixes arbitrary command injection with specially crafted referer URLs which contain Perl code. - Patch taken from upstream CVS, and contained in 6.5 release. * References: CAN-2005-1527 http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities . [ Jonas Smedegaard ] * Adjust distribution. Files: 82449cbf170952a0e5d31648c7943656 589 web optional awstats_6.4-1sarge1.dsc 056e6fb0c7351b17fe5bbbe0aa1297b1 918435 web optional awstats_6.4.orig.tar.gz c4efeefcab00fdda3c53e74e32cc0aab 18257 web optional awstats_6.4-1sarge1.diff.gz ed12fcb3a2a00b4f440dc9091a2ca78d 728430 web optional awstats_6.4-1sarge1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDciqvn7DbMsAkQLgRAs+QAJ0bbvOWdtFJoAU7MH16VzgUBjhQ/QCfYUMv Yj8+aH2NkNCiaXD3wLiT5H0= =R9YJ -----END PGP SIGNATURE----- Accepted: awstats_6.4-1sarge1.diff.gz to pool/main/a/awstats/awstats_6.4-1sarge1.diff.gz awstats_6.4-1sarge1.dsc to pool/main/a/awstats/awstats_6.4-1sarge1.dsc awstats_6.4-1sarge1_all.deb to pool/main/a/awstats/awstats_6.4-1sarge1_all.deb
