awstats (7.8-2+deb11u1) bullseye; urgency=medium * QA upload. * fix cross site scripting (CVE-2022-46391) (Closes: #1025410) -- Salvatore Bonaccorso Wed, 07 Dec 2022 21:47:25 +0100 awstats (7.8-2) unstable; urgency=high * QA upload. * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. Closes: #977190 -- Håvard Flaget Aasen Tue, 02 Feb 2021 08:56:57 +0100 awstats (7.8-1) unstable; urgency=medium * QA upload. [ Ondřej Nový ] * d/copyright: Use https protocol in Format field * d/changelog: Remove trailing whitespaces * d/watch: Use https protocol [ Debian Janitor ] * Drop no longer supported add-log-mailing-address setting from debian/changelog. * Move source package lintian overrides to debian/source. * Bump debhelper from old 9 to 12. * Set debhelper-compat version in Build-Depends. * Update renamed lintian tag names in lintian overrides. * Use canonical URL in Vcs-Git. * Remove obsolete fields Name from debian/upstream/metadata. [ Sylvain Beucler ] * Fix /etc/logrotate.d/httpd-prerotate script installation (Closes: #890414) * New 7.8 upstream release. (Closes: #775481) * Refresh patches. -- Sylvain Beucler Wed, 09 Dec 2020 15:57:39 +0100 awstats (7.6+dfsg-2) unstable; urgency=medium * QA upload. * Set maintainer to the QA team. * Import fixes from Ubuntu. + CVE-2017-1000501, closes: #885835 + but the fix for #858461 is incomplete * Drop ancient versioned Recommends on an essential package. -- Adam Borowski Fri, 02 Feb 2018 02:21:35 +0100 awstats (7.6+dfsg-1ubuntu2) bionic; urgency=medium [ Christian Ehrhardt ] * debian/README.Debian, debian/prerotate.sh: fix logrotate integration due to change of www-data to /usr/sbin/nologin (a step towards #858461, LP: #1708665) -- Andreas Hasenack Fri, 15 Dec 2017 18:55:12 -0200 awstats (7.6+dfsg-1ubuntu1) bionic; urgency=medium * SECURITY UPDATE: code execution via path traversal flaws - debian/patches/CVE-2017-1000501-1.patch: sanitize values in wwwroot/cgi-bin/awstats.pl. - debian/patches/CVE-2017-1000501-2.patch: sanitize more values in wwwroot/cgi-bin/awstats.pl. - CVE-2017-1000501 -- Marc Deslauriers Fri, 05 Jan 2018 07:35:35 -0500 awstats (7.6+dfsg-1) unstable; urgency=medium * Imported Upstream version 7.6+dfsg * Refresh patches * Bump up Standards-Version (to 3.9.8) * Fix spelling in README.Debian -- Sergey B Kirpichev Mon, 12 Dec 2016 13:51:39 +0300 awstats (7.5+dfsg-1) unstable; urgency=medium * Fix FTBFS (when built twice in a row): remove awgraphapplet-*.jar in the clean target * Fix encoding in German translation (Closes: #789361, thanks to Thorsten Glaser) * Imported Upstream version 7.5+dfsg * Refresh patches -- Sergey B Kirpichev Mon, 09 May 2016 16:20:22 +0300 awstats (7.4+dfsg-1) unstable; urgency=medium * Imported Upstream version 7.4+dfsg * Remove patches, applied by upstream * Refresh patches * Adopt debian/awstats.docs for new README name * Update installation instructions (Closes: #756501) * Use the upstream version in the path name for awgraphapplet.jar -- Sergey B Kirpichev Mon, 27 Jul 2015 13:56:07 +0300 awstats (7.3+dfsg-1) unstable; urgency=medium * Remove donation link in index.html (fix lintian E: privacy-breach-donation) in favor of debian/upstream/metadata * Install prerotate script (Closes: #714231) * Imported Upstream version 7.3+dfsg * Refresh patches * Add/cleanup Forwarded: patch headers * Fix permissions * Removed Facebook's Share/Like buttons (fix lintian E:privacy-breach-facebook) * Remove external image links for paypal donation (lintian E: privacy-breach-donation) * Removed twitter and google plus js (privacy breach) * Removed google search js (privacy breach) * removed pixel.gif * Set Forwarded: no for privacy patches * debian/upstream -> debian/upstream/metadata * Override lintian: debian-watch-may-check-gpg-signature and source-contains-prebuilt-java-object * Replace awstats_logo6.png by symlink * Bump up Standards-Version (to 3.9.6) -- Sergey B Kirpichev Mon, 27 Oct 2014 21:32:34 +0300 awstats (7.2+dfsg-1) unstable; urgency=low * Repackage upstream sources with uscan * Adopt README.source for new release * Imported Upstream version 7.2+dfsg * Refresh patches * Upgrade licences (upstream and debian/) to GPL v3+. * Fix lintian error: vcs-field-not-canonical -- Sergey B Kirpichev Sat, 16 Nov 2013 14:57:22 +0400 awstats (7.1.1~dfsg-2) unstable; urgency=low * Remove unsupported copyright_hints (autogenerated) * Use patch (not perl) to apply Debian-specific configuration changes * Add debian/awstats.examples * Drop absoleted binary-post-install/awstats target * drop binary-fixup target * Add patch with build.xml * Drop obsoleted control.in * Transition to dh build system, drop CDBS dependence * Override dh_compress * Fix permissions on doc/awstats/examples/*.pl -- Sergey B Kirpichev Mon, 07 Oct 2013 20:43:11 +0400 awstats (7.1.1~dfsg-1) unstable; urgency=low * New upstream release (Closes: #703596) -- Sergey B Kirpichev Fri, 29 Mar 2013 01:06:00 +0400 awstats (7.1~dfsg-1) unstable; urgency=low * Ensure that backwards compatible Java bytecode is built (Closes: #687414) * Add option to easy switch off awstats crontabs. Install symlink for awstats binary to /usr/bin. Closes: #641481. * Drop deprecated DMUA flag * Link missing mime-icons to notavailable.png (Closes: #690379) * Fix lintian unused-license-paragraph-in-dep5-copyright (Add comment for Files: wwwroot/icon/mime/*) * Fix lintian copyright-refers-to-symlink-license (GPL -> GPL-1+) * Install manpage * Imported Upstream version 7.1~dfsg * Update patches for new release * Fix executable bit on awstats.pl * Bump up Standards-Version (to 3.9.4) * Change license for wwwroot/icon/mime/* icons (Closes: #698921) * Update watch file for 7.x * Add debian/icons/firefox.png to include-binaries * Update DEB_UPSTREAM_TARBALL* stuff in rules -- Sergey B Kirpichev Fri, 22 Feb 2013 19:33:53 +0400 awstats (7.0~dfsg-7) unstable; urgency=low * Document -configdir option in README.Debian (Closes: #280067) * Show config name on error in update.sh (Closes: #675174, thanks to laurent@bearteam.org) * Create an index.$lang.html file in buildstatic.sh (Closes: #673317, thanks to Antoine Beaupré) -- Sergey B Kirpichev Wed, 13 Jun 2012 21:44:08 +0400 awstats (7.0~dfsg-6) unstable; urgency=low * Document pipe's usage in LogFile directive (Closes: #435028) * Reformat debian/copyright according to accepted DEP5 spec * Bump up Standards-Version to 3.9.3 (no changes) -- Sergey B Kirpichev Mon, 05 Mar 2012 15:38:42 +0400 awstats (7.0~dfsg-5) unstable; urgency=low * Add MAILTO=root to awstats.cron.d (Closes: #652665, thanks to Dominique Brazziel) * Add todo for #302210 * 1019_allow_frame_resize.patch: Allow resize of mainleft/right frames (Closes: #293218) -- Sergey B Kirpichev Wed, 28 Dec 2011 17:14:12 +0400 awstats (7.0~dfsg-4) unstable; urgency=low * Apply some compatibility fixes for perl 5.14: introduce 1018_perl5- 14.patch (Closes: #650492, #652070, thanks to Atsuhito Kohda) * Fixed Bug-Debian info for 016_downloads_list_page.patch -- Sergey B Kirpichev Wed, 14 Dec 2011 22:36:06 +0400 awstats (7.0~dfsg-3) unstable; urgency=low * Bump up Standards-Version (to 3.9.2) * Removed .gitignore * Replace /usr/share/doc/awstats/html/awstats_changelog.txt.gz by symlink to avoid lintian warning * Include patches/1016_downloads_list_page.patch to generate "Downloads Full list" page (Closes: #638857) * Refresh patches with --no-index --no-timestamps -pab --diffstat * Include patches/1017_fix_html_output_markup.patch to fix some output issues (Closes: #630943) * Update copyright for debian/* files * Minor tweaks of debian/README.Debian * Add some hints to restrict access to /cgi-bin/awstats.pl (Closes: #590953) -- Sergey B Kirpichev Sat, 29 Oct 2011 16:43:28 +0400 awstats (7.0~dfsg-2) unstable; urgency=low [ Sergey B Kirpichev ] * Process the /etc/awstats/awstats.conf file in update.sh/buildstatic.sh only if it's exists (Closes: #613524) * Allow change $NBOFLASTUPDATELOOKUPTOSAVE via CGI/CLI arguments (Closes: #600225). [ Jonas Smedegaard ] * Remove myself as uploader. Thanks for all the fish. [ Sergey B Kirpichev ] * Drop Debian AWStats Team from Maintainer's -- Sergey B Kirpichev Wed, 06 Apr 2011 03:31:45 +0400 awstats (7.0~dfsg-1) unstable; urgency=low * New upstream release. Closes: bug#613447. [ Sergey B Kirpichev ] * Unfuzz patches. * Update patch 1008. * Drop obsolete patches. * Fix +x bit on *.js in docs/examples * Avoid asterisks in debian/NEWS entries, to please lintian. * Fix recode bulgarian tooltips file as utf-8. Closes: bug#610632. * Forward patches 0007 and 1015 upstream. * Allow DM (Debian Maintainer) uploads. [ Jonas Smedegaard ] * Update copyright file: + Rewrite using Subversion rev.173 of draft DEP5 format. + Add some previously missed authors and licenses. -- Jonas Smedegaard Sat, 12 Mar 2011 19:44:25 +0100 awstats (6.9.5~dfsg-5) unstable; urgency=high [ Sergey B Kirpichev ] * Bump up Standards-Version to 3.9.1. * Remove examples/staticpages.sh. * Take sucurity fixes from upstream CVS: - CVE-2010-4369: patch 0009 (closes directory traversal vulnerability via crafted LoadPlugin directory). - CVE-2010-4367(and CVE-2010-4368): update patch 1002 (sanitize configdir, disable overwriting of configdir parameter in cgi mode). Closes: bug#606263. [ Jonas Smedegaard ] * Unfuzz patches. * Ease building with git-buildpackage: + Add dpkg-source local-options. + Suppress .pc dir. -- Jonas Smedegaard Fri, 24 Dec 2010 00:05:07 +0100 awstats (6.9.5~dfsg-4) unstable; urgency=low [ Jonas Smedegaard ] * Fix bashism in buildstatic.sh. Closes: bug#582861. * Recommend versions of coreutils supporting mktemp --tmpdir. Closes: bug#582602, thanks to Vincent Danjean. [ Andreas Henriksson ] * Remove myself from uploaders. [ Sergey B Kirpichev ] * Install logresolvemerge.pl in tools. Closes: bug#275491. * Change order of configs parsing in update.sh and buildstatic.sh. Closes: bug#580699, thanks to Ken Neighbors. * Improve documentation. Logfile permissions, EnableLockForUpdate option, setup for multiple sites. Closes: bug#580702, thanks to Ken Neighbors. * Prevent nested includes from being prematurely closed. Closes: bug#575545, thanks to Ken Neighbors. * Rephrase steps needed for apache.conf installation. Closes: bug#590947. -- Jonas Smedegaard Fri, 06 Aug 2010 23:26:53 -0400 awstats (6.9.5~dfsg-3) unstable; urgency=low [ Sergey B Kirpichev ] * Show error messages from cron jobs. Closes: bug#580672, thanks to Ken Neighbors. * Add option to disable nightly generation of static html reports. Closes: bug#580692, thanks to Ken Neighbors. * Option to use "nice" to lower the priority of cron scripts. Closes: bug#580693, thanks to Ken Neighbors. * Set default language (en) for static reports generation * Cosmetic improvements to cron scripts. Closes: bug#580704. * Recognize method/protocol RTSP in uppercase. Closes: bug#350601, thanks to Lee Maguire. * Report permissions problem while reading awstats.custom.conf. Closes: bug#572353, thanks to Ken Neighbors. [ Jonas Smedegaard ] * Reverse test logic when sourcing /etc/default/awstats to not fail if missing. * Respect TMPDIR for temporary files (i.e. use mktemp --tmpdir). * Update patches: + Drop (unapplied) patch 0011: applied upstream at some point in the past. + Unfuzz (unapplied) patch 0006. + Refresh patches 0006, 1015 and 1016 with compacting quilt options --no-index --no-timestamps -pab. -- Jonas Smedegaard Wed, 19 May 2010 13:53:50 +0200 awstats (6.9.5~dfsg-2) unstable; urgency=low [ Sergey B Kirpichev ] * Fail on error in buildstatic.sh. * Clarify patch policy. * Set up executable bit on awstats_buildstaticpages.pl. Closes: bug#580523, thanks to Ken Neighbors and Laurent Bonnaud. [ Jonas Smedegaard ] * Tidy patch README a bit - stripping note related to a specific patch. * Refer to FSF website (not postal address) in licensing header of rules file. * Release to unstable. -- Jonas Smedegaard Thu, 06 May 2010 18:04:04 +0200 awstats (6.9.5~dfsg-1) experimental; urgency=low [ Sergey B Kirpichev ] * New upstream release. * Fix paths for all geoip plugins. * Rewrite patch 1004 to check full Perl version (not just minor version, and not just drop the check - see #440035), and to fix awstats_buildstaticpages.pl too. Closes: #519319, thanks to Andrew Ruthven. * Update patch 1007 (russian locale) to use abbreviated month and day of week names, and to fix dos->unix fileformat. * Drop patch 2001 (hiding charts in days of month statistics) as it breaks rounding of Averages. Closes: #522467, thanks to Jools Wills. * Add new patch 1012 to strip the trailing dot when making a reverse on ipv6 addresses. Closes: #397544, thanks to Laurent Bigonville. * Add new patch 1013 to fix wrong search engine logging from yahoo sites. Closes: #347426, thanks to Erik Jacobson. * Add new patch 1014 to add WebSec to robots list. Closes: #284149, thanks to Baruch Even. * Add new patch 2001 to fix awstats_buildstaticpages.pl path to awstats.pl. * Add/fix Description & Author fields for patches. * Submit 1xxx patches upstream * Renumber patches adopted upstream: + 1006 → 0006 + 1007 → 0007 (upstream #2540486) + 1011 → 0011 (upstream #2794728) * Improve cron job: + Drop log file checks. Closes: #294586, #439889, thanks to Ralf Neubauer and others. + Move update to new script update.sh supporting multiple configs. + Add new script buildstatic.sh to generate daily static reports. Drop TODO item about generating only static reports. * Update README.Debian: + Add multisite notes. Closes: #415334, thanks to Eric Wadsworth. + Fix note on combined log format (Apache2 uses CLF per default). + Cleanup configure.pl notes + Use Apache 2.x in examples. * Create /var/cache/awstats in postinst, for static html reports. * Change DATADIR to /var/lib/awstats in sample script redostats.sh. * Install awstats_buildstaticpages.pl as tool (not sample script). * Add /etc/default/awstats file. * Handle /etc/awstats/awstats.conf in update.sh and buildstatic.sh * Suggest liburi-perl. Closes: #558131. [ Jonas Smedegaard ] * Add README.source. Drop README.cdbs-tweaks. * Mention git-orig-source build target in watch file. * Bump standards-version to 3.8.4. * Bump debhelper compatibility level to 6. * Reformat debian/copyright to conform to proposal DEP5 rev. 135. * Include actual licensing text of GPL-2+ in debian/copyright. * Build java applet using Ant and in compliance with Debian Java Policy. * Fix set x bit on tools and examples (and unset elsewhere). * Fix cron jobs to not run scripts if missing (i.e. when awstats package is removed but not purged). * Fix explicitly exclude awstats_buildstaticpages.pl from getting installed as sample script. * Drop all local CDBS snippets: included with main cdbs package now. * Switch to source format "3.0 (quilt)". * Drop patchsys-quilt.mk snippet: superfluous with source format "3.0 (quilt)". * Drop invoking dh_perl explicitly (handled in cdbs since late 2003). * Drop no longer needed .cvsignore cleanup. * Fix fail on error uudecoding Firefox icon. [ Andreas Henriksson ] * Replace apache with apache2 as default config choice. Closes: #257832. * Fix insecure tempfile creation in example script redostats.sh. * Install awgraphapplet.jar (built from source, avoiding upstream shipped binary), thanks to Andreas Westwik. * Remove Charles Fry from uploaders on his request. Closes: #569474. -- Jonas Smedegaard Thu, 01 Apr 2010 14:27:16 +0200 awstats (6.9~dfsg-1) unstable; urgency=low [ Sergey B Kirpichev ] * New upstream release (Closes: #494676). * Add myself to Uploaders field. * Drop patches 0001 and 1005 (applied upstream). * Unfuzz patches 1002-1004. * Add new patch 1007 updating Russian translation. Thanks to Sergey Kirpichev at upstream tracker #2540486. * Add new patch 1008 enhancing the ExtraSection headings to include the words (Top XXX) for consistency with all other section headings. * Add new patch 1009 fixing URL to Hurd (Closes: #408086). * Add new patch 1010 fixing dirdata permissions (Closes: #299148). * Add new patch 1011 fixing Geo::IPfree warnings (Closes: #512373). * Add new patch 2001 hiding charts in days of month statistics. * Use debian defaults for geoip data files. [ Jonas Smedegaard ] * Repackage upstream tarball. * Packaging moved to Git (from Subversion). Update debian/control and git-buildpackage configfile, enabling pristine-tar support. * Use new local CDBS snippet package-relations.mk to resolve, cleanup and apply CDBS-declared (build-)dependencies. * Add DEB_MAINTAINER_MODE in debian/rules (thanks to Romain Beauxis). * Update local CDBS snippets: + upstream-tarball.mk: internal restructuring + buildinfo.mk: fix copyright years + copyright-check.mk: major rewrite, now generating hint file more readily usable as template for new proposed copyright format + Update README.cdbs-tweaks to also cover newly added package- relations.mk. * Rewrite debian/copyright using new proposed syntax (v440). Update copyright-hints. * Unfuzz patch 1006. * Depend on misc:depends (thanks to lintian) and cdbs:depends (currently unused, and drop superfluous dependencies (fulfilled by perl even in oldstable). -- Jonas Smedegaard Tue, 03 Mar 2009 18:19:24 +0100 awstats (6.7.dfsg-5.1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Strip '"' characters during URL decoding, fixing a cross-site scripting attack (CVE-2008-3714; CVE-2008-5080; Closes: #495432). -- Nico Golde Wed, 10 Dec 2008 13:05:43 +0100 awstats (6.7.dfsg-5) unstable; urgency=low * Add debian/patches/0001_awstats69beta_xss.patch, upstream security fix from 6.9 beta to fix XSS. (Closes: #495432, upstream bug 2001151) -- Andreas Henriksson Sun, 17 Aug 2008 13:54:04 +0200 awstats (6.7.dfsg-4) unstable; urgency=low * Update local cdbs snippets: + Relax copyright-check to only warn about its discoveries. + Update dependency cleanup to strip cdbs 0.4.27 (not 0.4.27-1). -- Jonas Smedegaard Sun, 22 Jun 2008 21:30:28 +0200 awstats (6.7.dfsg-3) unstable; urgency=low * Update debian/copyright_hints (Closes: #487067) * Add dversionmangle to debian/watch to remove .dfsg from version string, as suggested by lintian. * Update to debian policy 3.8.0, no changes. -- Andreas Henriksson Sun, 22 Jun 2008 20:35:14 +0200 awstats (6.7.dfsg-2) unstable; urgency=low [ Andreas Henriksson ] * Add debian/patches/1005_at-amp-t.patch (Closes: #478968) * Add myself to Uploaders. * Fix lintian warnings: + doc-base: Apps/Net -> Network/Monitoring * Bump to debian-policy 3.7.3 [ Charles Fry ] * Disable warnings for Perl < 5.6 (Closes: #432096, #440035) [ Jonas Smedegaard ] * Move Homepage to own field (from pseudo-field in long description). * Use Vcs-* fields (and not XS-Vcs-* ones). * Update cdbs tweaks: + update-tarball needs cdbs 0.4.39 or newer (only relevant for backports). + Support zip in upstream-tarball.mk (unneeded here). + Use ~ as repackaging delimiter by default in upstream-tarball.mk to make room for point releases and cleaned up rerelease. + Rename top srcdir in repackaged tarball to $pkg-$ver.orig to comply with Developers Reference 6.7.8.2. + Support mangling upstream version string in upstream-tarball.mk. + Major rewrite of copyright-check.mk. Update copyright_hints. + Drop wget options broken with recent versions of wget in update-tarball.mk. + Drop buildcore.mk override (set DEB_AUTO_UPDATE_DEBIAN_CONTROL manually when needed instead) + Misc. updates to README.cdbs-tweaks. * Rewrite config tweak in debian/rules in perl (instead of sed). * Fix dollar signs in perl-in-shell-in-make code in debian/rules. * Update build-dependency cosmetics in debian/rules, and semi-auto- update debian/control: DEB_AUTO_UPDATE_DEBIAN_CONTROL=yes fakeroot debian/rules -- Andreas Henriksson Tue, 03 Jun 2008 22:20:45 +0200 awstats (6.7.dfsg-1.1) unstable; urgency=low * Non-maintainer upload during credativ BSP 2008 * Fix release goal: FTBFS if build twice in a row (Closes: #442500) -- Martin Zobel-Helas Sun, 06 Apr 2008 02:50:36 +0200 awstats (6.7.dfsg-1) unstable; urgency=low * New upstream release. Closes: bug#436572, thanks to Daniel Baumann. * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control. * Fix standards-version in debian/control.in. * Update CDBS tweaks: + Replace auto-update.mk with overloading buildcore.mk. + Check copyright strings in pre-build target (not clean target) to fix race condition. + Add upstream-tarball.mk to implement get-orig-source target. + Fix applying buildinfo only once. + Add debian/README.cdbs-tweaks and advertise it in debian/rules. * Declare (and merge duplicate) build-dependencies in debian/rules. Declare all as Build-Depends (not Build-depends-Indep). * Semi-auto-update debian/control: DEB_BUILD_OPTIONS=cdbs-autoupdate fakeroot debian/rules pre-build * Update debian/copyright: + Include both copyright and licensing info verbatim. + Update to include the year 2007. + Refer explicitly to GPLv2. -- Jonas Smedegaard Mon, 27 Aug 2007 17:52:52 +0200 awstats (6.6+dfsg-1) unstable; urgency=low * New upstream release (Closes: #350987, #335865) -- Charles Fry Sat, 10 Feb 2007 11:11:02 -0500 awstats (6.5+dfsg-1) unstable; urgency=low [ Jonas Smedegaard ] * Add to 6.5-2 changelog entry that it fixed CVE-2006-1945 too. [ Charles Fry ] * Move cdbs and debhelper into Build-Depends * Don't distribute Firefox icon (Closes: #388571) -- Charles Fry Sat, 4 Nov 2006 15:47:46 -0500 awstats (6.5-2) unstable; urgency=high [ Charles Fry ] * Require AWSTATS_ENABLE_CONFIG_DIR environmental variable in order to enable configdir. Closes: #365910 (thanks to Hendrik Weimer ) * Integrated security patches from upstream: + Decode QueryString. Closes: #364443 (thanks to Micah Anderson ) + Sanitize migrate parameter. Closes: #365909 (thanks to Hendrik Weimer ) * Indent Homepage in long description, per debian reference guideline [ Jonas Smedegaard ] * Update local cdbs snippet copyright-check.mk: + Broaden scan to also look for "(c)" by default. + Make egrep options configurable. * Semi-auto-update debian/control: + Bump up versioned build-dependency on debhelper. * Semi-auto-update debian/copyright_hints (nothing remarkable). * Set urgency=high as this upload fixes security-related bugs (bug#365909: CVE-2006-2237, bug#364443: CVE-2006-1945). * Fix including a couple of example shell scripts ignored by mistake. -- Jonas Smedegaard Tue, 9 May 2006 23:10:43 +0200 awstats (6.5-1) unstable; urgency=low [ Jonas Smedegaard ] * New upstream release. + Recognizes GNUTLS from lynx User-Agent header. Closes: #306130 (thanks to Dmitry Baryshkov ). + Geoip shows countries for resolved hostnames. Closes: #317310 (thanks to Administrator ). * Simplify watch file to better work with parser used at qa.d.o. * Improve cdbs rules: + Use quilt (rather than cdbs-internal patch system). + Add and enable new local snippets copyright-check and auto-update. + Update local snippet buildinfo (fixing its namespace). * Auto-update debian/control: + Tightened build-dependency on cdbs. + Added build-dependencies on patchutils and quilt. * Package is now team-maintained: + New maintainer: Debian AWStats Team . + Add myself as uploader. [ Charles Fry ] * Use qa.debian.org SF redirector in watch file. * Use Homepage instead of Website in debian/control, per DDR 6.2.4. * Removed patches integrated upstream -- Jonas Smedegaard Sun, 15 Jan 2006 22:35:07 +0100 awstats (6.4-2) unstable; urgency=low [ Charles Fry ] * New co-maintainer. * Suggest libgeo-ipfree-perl. Closes: #316126 (thanks to Gunnar Wolf ). * Fixed README.Debian path to configure.pl. Closes: #313093 (thanks to Michael De Nil ). [ Jonas Smedegaard ] * Acknowledge NMU. Closes: bug#322591. * Bump up watch version, and adjust the default command (we have moved to SubVerSion). * Add proto to URL in long description. * User newer chown syntax in postinst (thanks to lintian). -- Jonas Smedegaard Mon, 19 Sep 2005 22:41:16 +0200 awstats (6.4-1.1) unstable; urgency=high * Non-maintainer upload * SECURITY UPDATE: Fix arbitrary command injection. (Closes: #322591) Thanks to Martin Pitt for reporting the issue and providing the patch. * Add debian/patches/03_remove_eval.patch: - Replace all eval() calls for dynamically constructed function names with soft references. This fixes arbitrary command injection with specially crafted referer URLs which contain Perl code. - Patch taken from upstream CVS, and contained in 6.5 release. * References: CAN-2005-1527 http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities -- Frank Lichtenheld Sun, 4 Sep 2005 19:17:31 +0200 awstats (6.4-1) unstable; urgency=low * New upstream release. * Redirect errors of offline scripts to STDERR. Closes: bug#296435 (tanks to Charles Fry ). * Fix typo in README.Debian (thanks to Emmanuel Lacour ). -- Jonas Smedegaard Sat, 26 Mar 2005 06:51:21 +0100 awstats (6.3-1) unstable; urgency=high * New upstream release. Closes: bug#293702, #293668 (thanks to Nelson A. de Oliveira ). + Includes upstream fix for security bug fixed in 6.2-1.1. + Includes upstream fix for most of security bug fixed in 6.2-1.1. * Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin Schulze , Martin Pitt , Ubuntu, Joey Hess , Frank Lichtenheld and Steve Langasek ). * Include patch for last parts of security bug fixed in 6.2-1.1: 01_sanitize_more.patch. * Patch (02) to include snapshot of recent development: + Fix security hole that allowed a user to read log file content even when plugin rawlog was not enabled. + Fix a possible use of AWStats for a DoS attack. + configdir option was broken on windows servers. + DebugMessages is by default set to 0 for security reasons. + Minor fixes. * References: CAN-2005-0435 - read server logs via loadplugin and pluginmode CAN-2005-0436 - code injection via PluginMode CAN-2005-0437 - directory traversal via loadplugin CAN-2005-0438 - information leak via debug -- Jonas Smedegaard Sat, 5 Feb 2005 17:13:48 +0100 awstats (6.2-1.2) unstable; urgency=HIGH * NMU with the following patch from Ubuntu. Closes: #294488 * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which are defined by the remote user) to prevent execution of arbitrary shell commands through shell metacharacters. * References: CAN-2005-0362 for *plugin* variables CAN-2005-0363 for the config variable -- Joey Hess Sun, 13 Feb 2005 14:02:07 -0500 awstats (6.2-1.1) unstable; urgency=HIGH * NMU with the following patch from Ubuntu. Closes: #291064 * SECURITY UPDATE: fix arbitrary command execution * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the "configdir" parameter and the SiteConfig variable to prevent execution of arbitrary shell commands when open()'ing them. * References: CAN-2005-0116 http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities -- Joey Hess Thu, 20 Jan 2005 16:29:35 -0500 awstats (6.2-1) unstable; urgency=low * New upstream release. Closes: bug#282665. * Strip leading article from short description to please lintian. -- Jonas Smedegaard Mon, 3 Jan 2005 18:33:47 +0100 awstats (6.1-4) unstable; urgency=high * Add upstream website URL to long description. * Fix watch file. * Use generic (but unofficial) buildinfo cdbs snippet. * Recommend libnet-xwhois-perl. Closes: bug#261190 (thanks to Thilo Pfennig ). * No longer avoid GIFs - the evil patent has expired. This closes: bug#260345 (thanks to Charles Lepple ). * Set urgency=high to hopefully get this into sarge in time (the changes are small but valuable). -- Jonas Smedegaard Thu, 4 Nov 2004 00:56:58 +0100 awstats (6.1-3) unstable; urgency=low * Correct minor typos in README.Debian. * Add new section to README.Debian: "Quick'n'dirty setup". * Add example apache config snippet. -- Jonas Smedegaard Fri, 8 Oct 2004 12:34:15 +0200 awstats (6.1-2) unstable; urgency=low * Correct a build target so configuration file is properly included (arrgh!). This also closes: Bug#258883 (thanks to Raphael Hertzog ). -- Jonas Smedegaard Wed, 21 Jul 2004 22:58:03 +0200 awstats (6.1-1) unstable; urgency=low * New ustream release. Closes: Bug#251620, #257248 (except not ful- filling the wish of updating to 6.2 not yet stable upstream). + Misspelling ("trafic") corrected. Closes: Bug#240975 (thanks to Cristopher Price ). * Add new XSLT files as example files. * Make sure among example files that only scripts and direactories are executable. -- Jonas Smedegaard Fri, 2 Jul 2004 17:55:22 +0200 awstats (6.0-4) unstable; urgency=low * Really fix bug#247265. Really closes: Bug#247265 (thanks to Edward J. Shornock ). -- Jonas Smedegaard Wed, 5 May 2004 05:12:07 +0200 awstats (6.0-3) unstable; urgency=low * Avoid perl warning when declaring a set of empty variables. Closes: Bug#247265 (thanks to J.H.M. Dassen (Ray) ). * Explicitly favor perl 5.8 to libstorable-perl and libtime-hires-perl (not really a bug - the perl package satisfies this implicitly, but since the bugreporter took the time to file a bugreport about it, I'll manage to set it up explicitly). Closes: Bug#247267. * Added note about Debian location of configure.pl to README.Debian to deal with main script hardcoding its location. Closes: Bug#243047 (again, thanks to J.H.M. Dassen). * Move cache files to /var/lib/awstats and use that location from now on by default (as claimed in 5.6-2 - I wonder what went wrong then). Add note to NEWS about the change, and update README.Debian. Closes: Bug#232349 (thanks to Erik Jacobson ). * Standards-version 3.6.1. -- Jonas Smedegaard Tue, 4 May 2004 15:51:26 +0200 awstats (6.0-2) unstable; urgency=medium * Rename NEWS.Debian to NEWS, so that it gets installed. Thanks to Brock Rozen for spotting it. * Setting urgency=medium, as this is only a packaging correction, and is good to get into testing soon. -- Jonas Smedegaard Sat, 3 Apr 2004 00:21:38 +0200 awstats (6.0-1) unstable; urgency=low * New upstream release. Closes: Bug#211005 (at least the main part of it) * Acceptance of friendly takeover (mentioned in Bug#211005) withdrawn. * Suggest in README.Debian the upstream script awstats_updateall.pl as alternative to awstats-update (mentioned in Bug#211005 - please file a separate wishlist bug if interested in discussing this further). * Add NEWS.Debian + Move relevant stuff from README.Debian + Add new stuff about upgrade to 6.x. * Suggest libnet-dns-perl and libnet-ip-perl. Closes: Bug#220393 (thanks to Craig small ). * Drop patch to tighten paths possible to pass to main script: Current code is not as open to XSS flaws as earlier, and it makes the Debian package harder to maintain (leading to other more important bugfixes taking longer to reach Debian). * Remove Debian-specific notes in debian/changelog provided in debian/changelog as well. -- Jonas Smedegaard Sun, 28 Mar 2004 14:04:53 +0200 awstats (5.6-2) unstable; urgency=low * Use target common-configure-indep instead of common-configure for inclusion of awstats.conf. Closes: Bug#210351 (thanks to Georges Kesseler , Paul Slootman and Javier Fernândez-Sanguino Peña for solving this, and to Nathanael Nerode for waking me up). * Update 02_use_static_dirs.diff to not use "." as DirData default. Closes (the other part of) Bug#222694 (together with the above). * Use /var/lib/awstats instead of /var/cache/awstats (thanks to Paul Slootman for his notice in Bug#222694). -- Jonas Smedegaard Thu, 18 Dec 2003 16:23:15 +0100 awstats (5.6-1) unstable; urgency=low * New upstream release (closes: Bug#202006). + Upstream deals with compliant robots hitting stats page now (closes: Bug#195840 - the rest of the suggestion is questionable and can be implemented locally by standard editing config file). * Problem with mod_gzip possibly solved in version 5.4 (closes: Bug#165390 - please reopen if problem persist). * Remove patch 01_use_TableBG (upstream has improved/rearranged visual design). * Include sample JavaScript and CSS code as examples. * Include all tools as examples, not only explicit ones (adds awstats_exportlib.pl and new maillogconvert.pl). * Update watch file (use explicit server instead of sourceforge redirect crap, and add uupdate). * Standards-version 3.6.0. * Cleanup debian/rules a bit, thanks to newer cdbs (no need to tighten build-dependency as cdbs has not yet ever been part of an official Debian release). * Update 02_use_static_dirs.diff to match new upstream release. * Improve long description a bit (mention that more than 30 languages are supported). * Fix speling error and generally improve virtually empty awstats.conf.local (sorry folks - this won't happen often). * Use cdbs to add examples (instead of separate debhelper file), and make sure all example scripts are executable and not compressed. -- Jonas Smedegaard Fri, 1 Aug 2003 14:08:40 +0200 awstats (5.5-2) unstable; urgency=low * Build-depend on cdbs, and tighten build-dependency on debhelper (although I suspect this is actually not really needed for perl packages). -- Jonas Smedegaard Fri, 30 May 2003 12:02:19 +0200 awstats (5.5-1) unstable; urgency=low * New upstream release * Switch from cbs to cdbs. * Correct debian/watch. * Standards-Version 3.5.10 (no changes needed). * Avoid the example plugin without the use of 'rm -rf', and include it instead as, well, an example. -- Jonas Smedegaard Fri, 30 May 2003 11:23:40 +0200 awstats (5.4-1) unstable; urgency=low * New upstream release (closes: bug#170285, bug#175328). * Update patches. * Update debian/rules to latest version of CBS. * provide separate conffile for local tweaks (closes: Bug#179741, thanks to Francesco Potorti ). -- Jonas Smedegaard Sun, 16 Mar 2003 06:01:58 +0100 awstats (5.1-6) unstable; urgency=low * Fix wrongly placed quotes in /etc/awstats./awstats.conf (thanks to Wolfgang Karall . Closes bug#177857. -- Jonas Smedegaard Wed, 22 Jan 2003 13:31:10 +0100 awstats (5.1-5) unstable; urgency=low * Switch to using CBS (Colin's Build System). * Correct (and improve a bit) sed rules adjusting configfile. This closes: Bug#171698, thanks to Robert Millan (and to Amaya Rodrigo Sastre for clarifying). * Separate html documentation and register with doc-base. * Avoid all GIFs (PNGs are provided for them all). * Don't strip .ico file. * Quote the wording of the upstream license statement (instead of just telling that it is GPL) in debian/copyright, and properly refer to Debian location of the GPL. * Declare compliance with Policy version 3.5.8.0. -- Jonas Smedegaard Sun, 15 Dec 2002 21:31:14 +0100 awstats (5.1-4) unstable; urgency=low * Really take care of LogFile default. -- Jonas Smedegaard Fri, 15 Nov 2002 00:37:43 +0100 awstats (5.1-3) unstable; urgency=low * Change default DirData from . to /var/cache/awstats and make sure LogFile always defaults to /var/log/apache/access.log (currently the case, but not in 5.0 - who knows if it changes upstream again). Thanks to Atsuhito Kohda , this closes: Bug#165979. -- Jonas Smedegaard Thu, 14 Nov 2002 23:47:14 +0100 awstats (5.1-2) unstable; urgency=medium * Add debian/watch file. * Set urgency=medium (this really shouldn't harm anyone, and I don't want it to delay entering testing). -- Jonas Smedegaard Mon, 4 Nov 2002 19:54:06 +0100 awstats (5.1-1) unstable; urgency=low * New upstream release. -- Jonas Smedegaard Tue, 29 Oct 2002 01:52:02 +0100 awstats (5.0-1) unstable; urgency=low * New upstream release. * debian/README.Debian: Add note from changelog about upgrading older logfiles for speed. * Add a TODO. -- Jonas Smedegaard Sun, 6 Oct 2002 18:03:46 +0200 awstats (4.99.20020922-1) unstable; urgency=low * New upstream (pre)release. * Include and add dependencies for plugins, except the non-functional graph3d plugin. * Enable hashfiles plugin per default. -- Jonas Smedegaard Sun, 22 Sep 2002 14:53:07 +0200 awstats (4.1-1) unstable; urgency=low * New upstream release. * This is the newest stable release (5.0 is work-in-progress). Closes: #156589. -- Jonas Smedegaard Wed, 14 Aug 2002 01:29:49 +0200 awstats (4.0-3) unstable; urgency=low * Add example script provided by Francesco Potorti` (Closes: #153559). * I am giving *hints* of ways to integrate AWStats with a running webserver. There are too many ways to put it together - and I will not write a manual about it, sorry (but thanks for the suggestions!). Closes: #153561. * Remove TODO. Apache2 goes in interesting other ways... -- Jonas Smedegaard Tue, 23 Jul 2002 16:57:40 +0200 awstats (4.0-2) unstable; urgency=low * Add staticpages.sh, suggested by Cyrille Chepelov, as example script. -- Jonas Smedegaard Thu, 4 Jul 2002 00:08:33 +0200 awstats (4.0-1) unstable; urgency=low * Newer upstream version (closes: #133451, #150246). * Include the new common2combined.pl and awstats_buildstaticpages.pl scripts as tools. -- Jonas Smedegaard Wed, 3 Jul 2002 20:54:45 +0200 awstats (3.2-12) unstable; urgency=low * Do a s/OSArrayID/OSSearchIDOrder/g in awstats.pl to make it work with the new operating_systems.pl db (thanks to "Omniflux" ). This closes: #140115. -- Jonas Smedegaard Wed, 27 Mar 2002 14:14:13 +0100 awstats (3.2-11) unstable; urgency=low * Remove /var/cache/awstats on purge. Closes: #139292 (or half of it: The package should not purge configfiles not created by the package. Please reopen the bug if you disagree). * Backport translations (lots of updates and new languages latvian and brasilian portuguese), operating systems (cosmetic change to Amiga) and search engines (czech engines and correction to alltheweb.com). -- Jonas Smedegaard Tue, 26 Mar 2002 00:35:23 +0100 awstats (3.2-10) unstable; urgency=low * Talk about logrotate and not cron.conf in README.Debian (Apache cleaned that up in 1.3.22-6). Thanks to Unit3 for spotting it. -- Jonas Smedegaard Thu, 7 Feb 2002 23:09:40 +0100 awstats (3.2-9) unstable; urgency=low * The "Enough is enough..." release. * Ignore silently if /var/log/apache/access.log is not readable by www-data. * Use only awstats.conf in default cron job (as other configurations typically use separate logfiles and thus cannot be checked as simple as the above). * The above is a response to bugreport by Graeme , and closes: #132781. * Move awstats-update to examples now that it is no longer used (but - after much struggle - works as intended). * Move icon folder from /var/www to /usr/share as suggested by Emmanuel CHANTREAU . This closes: #131957. * Rewrite README.Debian to reflect the current situation. * Add a TODO... * Backport searchengines from 4.0 (add atlas.cz). * Backport languages from 4.0 (updates to br, fr, it and pt). -- Jonas Smedegaard Thu, 7 Feb 2002 21:40:04 +0100 awstats (3.2-8) unstable; urgency=low * Fix typo in awstats-update (Closes: 132656). -- Jonas Smedegaard Thu, 7 Feb 2002 16:58:14 +0100 awstats (3.2-7) unstable; urgency=low * Fix awstats-update again, thanks to Emil Soleyman-Zomalan . -- Jonas Smedegaard Tue, 5 Feb 2002 19:03:25 +0100 awstats (3.2-6) unstable; urgency=low * Rewrite awstats-update again (and make a note on the weird behavior in README.Debian. Closes: 131321). -- Jonas Smedegaard Fri, 1 Feb 2002 01:42:38 +0100 awstats (3.2-5) unstable; urgency=low * Revert awstats.pl path in awstats-update as well (thanks for a quick bugreport from Jens fix-your-bloody-address Bech. Closes: #131394). * I cannot reproduce the problem with recent awstats-update and believe it to be fixed, so closes: #131394. -- Jonas Smedegaard Wed, 30 Jan 2002 03:24:23 +0100 awstats (3.2-4) unstable; urgency=low * Rewrite awstats.conf to avoid (ba)sh-voodoo that might upset non- bash shells (Closes: #130713). * Hack awstats.pl to only use our default folders or those in config file. * Move db/* from cgi-bin to /usr/share/awstats. * Move logresolvemerge.pl out of cgi-bin to /usr/share/doc/awstats/examples (but keep it uncompressed). * Revert to using upstream script location /cgi-bin (no need for a separate folder now that non-executables are moved off of cgi-bin). * Switch to using upstream default for 'ShowFlagLinks'. * Comment out '/YourRelativeUrl' and 'myworkstation' in awstats.pl. -- Jonas Smedegaard Sun, 27 Jan 2002 22:08:05 +0100 awstats (3.2-3) unstable; urgency=low * New maintainer (thanks, Eric :-). Updating maintainer field and maintainer hint in debian/copyright. * Hack awstats.pl to use for tables instead of (Closes: #130449). * Acknowledge my own NMUs (Closes: #126250, 120517). * Recognize Galeon: Add it to browsers.pl and hack awstats.pl to separate it from Netscape (Closes: 130431). -- Jonas Smedegaard Thu, 24 Jan 2002 20:37:26 +0100 awstats (3.2-2.2) unstable; urgency=low * Another NMU (last one wasn't approved by maintainer - crossing my fingers about this one). * Correctly suggests httpd. * We have been at version 3.2 for a couple of builds now (maintainer asked me to close these, so closes: #126250, #120517). * Install only relevant documentation (avoid Windows-specific xml, virtually empty htm and lintian-triggering LICENSE). * README.Debian: Add note about default ownership of logfiles and access from CGI. * README.Debian: Clarify that the note about enabling logging of browsers and referers is apache-specific (AWStats runs with other httpd servers as well). * Install perl helper scripts non-executable (thanks, lintian). -- Jonas Smedegaard Thu, 17 Jan 2002 22:00:06 +0100 awstats (3.2-2.1) unstable; urgency=low * NMU permitted by maintainer (or at least it will be if this package happens to show up in sid). * Build default awstats.conf sed'ing upstream awstats.model.conf (to make sure added options in a new upstream version are included and deprecated ones silently ignored). * Add awstats.model.conf as an example file as well. * Change DirCgi option from "/usr/lib/cgi-bin/awstats/awstats.pl" to "/cgi-bin/awstats" (makes more sense according to documented behaviour). * Correctly install upstream changelog. * Remove practically empty preinst, prerm and postrm debhelper files. * Suggests: apache | httpd. -- Jonas Smedegaard Fri, 11 Jan 2002 01:56:27 +0100 awstats (3.2-2) unstable; urgency=low * I forgot to include cgi-bin/db, sorry (closes: #128113). -- Eric Van Buggenhaut Mon, 7 Jan 2002 20:22:10 +0100 awstats (3.2-1) unstable; urgency=low * New upstream release -- Eric Van Buggenhaut Sat, 5 Jan 2002 17:36:22 +0100 awstats (3.1build23-6) unstable; urgency=low * Included default config in awstats-update (closes: #122518). -- Eric Van Buggenhaut Thu, 6 Dec 2001 23:12:51 +0100 awstats (3.1build23-5) unstable; urgency=high * Corrected awstats-update (closes: #117762). -- Eric Van Buggenhaut Mon, 26 Nov 2001 23:22:31 +0100 awstats (3.1build23-4) unstable; urgency=low * Corrected typo in cronscript (closes: #118412). * Changed Architecture: to all -- Eric Van Buggenhaut Tue, 13 Nov 2001 13:43:00 +0100 awstats (3.1build23-3) unstable; urgency=low * Corrected bad translations in italian and spanish files (closes: #113046) * Use 'install' instead of 'cp' in debian/rules (closes: #115266). Patch * provided by Jonas Smedegaard . * Check for existence of /usr/sbin/awstats-update in cron script (closes: #117057). Patch * provided by Jonas Smedegaard . -- Eric Van Buggenhaut Tue, 30 Oct 2001 00:08:49 +0100 awstats (3.1build23-2) unstable; urgency=low * I (risko gergely) changed the maintainer field to Eric Van Buggenhaut , because he will be the sponsor of a new maintainer, who argued about the maintainership of this package, and we decided, that he will take it over. There are bugs, and it gets counted on bugs.debian.org/risko@debian.org, which is very very bad for me, because it's not my bug, simply the new maintainer can't upload a new version in 2-3 months. Sorry for any bandwidth wasting and inconvinence. Gergely -- RISKO Gergely Thu, 11 Oct 2001 21:34:32 +0200 awstats (3.1build23-1) unstable; urgency=low * new upstream version -- RISKO Gergely Fri, 24 Aug 2001 09:12:11 +0200 awstats (3.1build20-1) unstable; urgency=low * Initial Release. (closes: Bug#90955, Bug#90956) -- RISKO Gergely Tue, 21 Aug 2001 13:17:46 +0200