I uploaded mostly Martin's patch with only some changelog adjustments: (Sorry to Sven for ignoring his patch, but it was easier to edit Martin's changelog entry to match what I wanted to have than his)
diff -u awstats-6.4/debian/changelog awstats-6.4/debian/changelog --- awstats-6.4/debian/changelog +++ awstats-6.4/debian/changelog 2005-09-04 19:17:32.971756616 +0200 @@ -1,6 +1,9 @@ -awstats (6.4-1ubuntu1) breezy; urgency=low +awstats (6.4-1.1) unstable; urgency=high - * SECURITY UPDATE: Fix arbitrary command injection. + * Non-maintainer upload + * SECURITY UPDATE: Fix arbitrary command injection. (Closes: #322591) + Thanks to Martin Pitt for reporting the issue and providing the + patch. * Add debian/patches/03_remove_eval.patch: - Replace all eval() calls for dynamically constructed function names with soft references. This fixes arbitrary command injection with specially @@ -10,7 +13,7 @@ CAN-2005-1527 http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities - -- Martin Pitt <[EMAIL PROTECTED]> Thu, 11 Aug 2005 18:23:09 +0200 + -- Frank Lichtenheld <[EMAIL PROTECTED]> Sun, 4 Sep 2005 19:17:31 +0200 awstats (6.4-1) unstable; urgency=low Gruesse, -- Frank Lichtenheld <[EMAIL PROTECTED]> www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]