Bug#985215: RFS: awstats/7.6+dfsg-2+deb10u1 [QA] -- powerful and featureful web server log analyzer
Package: sponsorship-requests
Severity: important
Dear mentors,
I am looking for a sponsor for my package "awstats":
* Package name : awstats
Version : 7.6+dfsg-2+deb10u1
Upstream Author : Laurent Destailleur <eldy@users.sourceforge.net>
* URL : http://awstats.sourceforge.net/
* License : Apache-2.0, GPL-3+, CC-BY-3.0, GPL-1+
* Vcs :
http://anonscm.debian.org/gitweb/?p=collab-maint/awstats.git;a=summary
Section : web
It builds those binary packages:
awstats - powerful and featureful web server log analyzer
To access further information about this package, please visit the
following URL:
https://mentors.debian.net/package/awstats/
Alternatively, one can download the package with dget using this command:
dget -x
https://mentors.debian.net/debian/pool/main/a/awstats/awstats_7.6+dfsg-2+deb10u1.dsc
Changes since the last upload:
awstats (7.6+dfsg-2+deb10u1) buster; urgency=medium
.
* QA upload.
* CVE-2020-29600: cgi-bin/awstats.pl?config= accepts an absolute
pathname, even though it was intended to only read a file in the
/etc/awstats/awstats.conf format. NOTE: this issue exists because of
an incomplete fix for CVE-2017-1000501. Closes: #891469
* CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config=
accepts a partial absolute pathname (omitting the initial /etc), even
though it was intended to only read a file in the
/etc/awstats/awstats.conf format. NOTE: this issue exists because of
an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Closes: #977190
This upload was approved with bug #982996. Afterwards I changed it from
a NMU to QA upload.
Regards,
Håvard
Reply to: