[Pkg-awstats-commits] r51 - awstats/trunk/debian
Charles Fry
cfry-guest at costa.debian.org
Mon May 8 15:13:08 UTC 2006
Author: cfry-guest
Date: 2006-05-08 15:13:08 +0000 (Mon, 08 May 2006)
New Revision: 51
Modified:
awstats/trunk/debian/NEWS
Log:
added news about disabling confdir
Modified: awstats/trunk/debian/NEWS
===================================================================
--- awstats/trunk/debian/NEWS 2006-05-06 21:42:50 UTC (rev 50)
+++ awstats/trunk/debian/NEWS 2006-05-08 15:13:08 UTC (rev 51)
@@ -1,3 +1,15 @@
+awstats (6.5-2) unstable; urgency=low
+
+ * For security purposes, the confdir parameter is disabled by
+ default. To enable it, set the AWSTATS_ENABLE_CONFIG_DIR
+ environmental variable in the web environment. Allowing confdir
+ to be set opens the door for a code injection attack, as
+ explained in bug #365910. Note that upstream will fix this in
+ the 6.6 release, but has not yet decided how they will address
+ the issue (though they suggested the current patch).
+
+ -- Charles Fry <debian at frogcircus.org> Mon, 8 May 2006 11:04:54 -0400
+
awstats (6.0-3) unstable; urgency=low
* Cache files are now located at /var/lib/awstats by default. Old
More information about the Pkg-awstats-commits
mailing list