Message-Id: <email address hidden>
Date: Wed, 16 Feb 2005 22:17:06 -0500
From: Jonas Smedegaard <email address hidden>
To: <email address hidden>
Subject: Bug#291064: fixed in awstats 6.3-1
Source: awstats
Source-Version: 6.3-1
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_6.3-1.diff.gz
to pool/main/a/awstats/awstats_6.3-1.diff.gz
awstats_6.3-1.dsc
to pool/main/a/awstats/awstats_6.3-1.dsc
awstats_6.3-1_all.deb
to pool/main/a/awstats/awstats_6.3-1_all.deb
awstats_6.3.orig.tar.gz
to pool/main/a/awstats/awstats_6.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <email address hidden> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Jonas Smedegaard <email address hidden>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes:
awstats (6.3-1) unstable; urgency=high
.
* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
A. de Oliveira <email address hidden>).
+ Includes upstream fix for security bug fixed in 6.2-1.1.
+ Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
Langasek <email address hidden>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
01_sanitize_more.patch.
* Patch (02) to include snapshot of recent development:
+ Fix security hole that allowed a user to read log file content
even when plugin rawlog was not enabled.
+ Fix a possible use of AWStats for a DoS attack.
+ configdir option was broken on windows servers.
+ DebugMessages is by default set to 0 for security reasons.
+ Minor fixes.
* References:
CAN-2005-0435 - read server logs via loadplugin and pluginmode
CAN-2005-0436 - code injection via PluginMode
CAN-2005-0437 - directory traversal via loadplugin
CAN-2005-0438 - information leak via debug
Files:
2dc54b77fee571afaba6074465ee79fb 577 web optional awstats_6.3-1.dsc
edb73007530a5800d53b9f1f90c88053 938794 web optional awstats_6.3.orig.tar.gz
daf739c6af548309a9724afaf2631a69 22093 web optional awstats_6.3-1.diff.gz
bafc77369b5e40d31b4df2f6ab0920d4 725768 web optional awstats_6.3-1_all.deb
Message-Id: <email address hidden>
Date: Wed, 16 Feb 2005 22:17:06 -0500
From: Jonas Smedegaard <email address hidden>
To: <email address hidden>
Subject: Bug#291064: fixed in awstats 6.3-1
Source: awstats
Source-Version: 6.3-1
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_ 6.3-1.diff. gz a/awstats/ awstats_ 6.3-1.diff. gz a/awstats/ awstats_ 6.3-1.dsc 6.3-1_all. deb a/awstats/ awstats_ 6.3-1_all. deb 6.3.orig. tar.gz a/awstats/ awstats_ 6.3.orig. tar.gz
to pool/main/
awstats_6.3-1.dsc
to pool/main/
awstats_
to pool/main/
awstats_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <email address hidden> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7 sanitize_ more.patch. afaba6074465ee7 9fb 577 web optional awstats_6.3-1.dsc 00d53b9f1f90c88 053 938794 web optional awstats_ 6.3.orig. tar.gz 09a9724afaf2631 a69 22093 web optional awstats_ 6.3-1.diff. gz d31b4df2f6ab092 0d4 725768 web optional awstats_ 6.3-1_all. deb
Date: Sat, 5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Jonas Smedegaard <email address hidden>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes:
awstats (6.3-1) unstable; urgency=high
.
* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
A. de Oliveira <email address hidden>).
+ Includes upstream fix for security bug fixed in 6.2-1.1.
+ Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
Langasek <email address hidden>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
01_
* Patch (02) to include snapshot of recent development:
+ Fix security hole that allowed a user to read log file content
even when plugin rawlog was not enabled.
+ Fix a possible use of AWStats for a DoS attack.
+ configdir option was broken on windows servers.
+ DebugMessages is by default set to 0 for security reasons.
+ Minor fixes.
* References:
CAN-2005-0435 - read server logs via loadplugin and pluginmode
CAN-2005-0436 - code injection via PluginMode
CAN-2005-0437 - directory traversal via loadplugin
CAN-2005-0438 - information leak via debug
Files:
2dc54b77fee571
edb73007530a58
daf739c6af5483
bafc77369b5e40
-----BEGIN PGP SIGNATURE-----
bMsAkQLgRAhpOAJ wKYtnURAoOq/ P0xIttjMkPZLYQf ACgocV7 ToQrCcJ8=
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCFAagn7D
R2oNSNdLPwJWHdD
=ySLo
-----END PGP SIGNATURE-----