[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985215: RFS: awstats/7.6+dfsg-2+deb10u1 [QA] -- powerful and featureful web server log analyzer



Package: sponsorship-requests
Severity: important

Dear mentors,

I am looking for a sponsor for my package "awstats":

 * Package name    : awstats
   Version         : 7.6+dfsg-2+deb10u1
   Upstream Author : Laurent Destailleur <eldy@users.sourceforge.net>
 * URL             : http://awstats.sourceforge.net/
 * License         : Apache-2.0, GPL-3+, CC-BY-3.0, GPL-1+
 * Vcs             :
http://anonscm.debian.org/gitweb/?p=collab-maint/awstats.git;a=summary
   Section         : web

It builds those binary packages:

  awstats - powerful and featureful web server log analyzer

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/awstats/

Alternatively, one can download the package with dget using this command:

  dget -x
https://mentors.debian.net/debian/pool/main/a/awstats/awstats_7.6+dfsg-2+deb10u1.dsc

Changes since the last upload:

 awstats (7.6+dfsg-2+deb10u1) buster; urgency=medium
 .
   * QA upload.
   * CVE-2020-29600: cgi-bin/awstats.pl?config= accepts an absolute
     pathname, even though it was intended to only read a file in the
     /etc/awstats/awstats.conf format. NOTE: this issue exists because of
     an incomplete fix for CVE-2017-1000501. Closes: #891469
   * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config=
     accepts a partial absolute pathname (omitting the initial /etc), even
     though it was intended to only read a file in the
     /etc/awstats/awstats.conf format. NOTE: this issue exists because of
     an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
     Closes: #977190


This upload was approved with bug #982996. Afterwards I changed it from
a NMU to QA upload.

Regards,
Håvard


Reply to: