Package: webalizer Version: 2.01.10-32.4 Followup-For: Bug #622897
More info: Where I was actually USING webalizer, on production sites, was shielded behind Apache digest authentication - and thus was not exposed or attacked. What I had not realized was that just installing webalizer from repos exposes webalizer on the DEFAULT site (the "It Works!" page) - and that's what got attacked and compromised, by hitting one of the server's IP addresses with no DNS. Exposing potentially vulnerable code on the default site, which should be incredibly sparse and safe, seems very un-Debian-ish behavior to me. Especially since most web apps in the repositories do NOT expose themselves to the internet on install, instead requiring the admin to explicitly expose them as and where desired. -- System Information: Debian Release: 5.0.8 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages webalizer depends on: ii debconf [debcon 1.5.24 Debian configuration management sy ii libc6 2.7-18lenny7 GNU C Library: Shared libraries ii libdb4.5 4.5.20-13 Berkeley v4.5 Database Libraries [ ii libgd2-xpm 2.0.36~rc1~dfsg-3+lenny1 GD Graphics Library version 2 ii libgeoip1 1.4.4.dfsg-3+lenny1 A non-DNS IP-to-country resolver l ii libpng12-0 1.2.27-2+lenny4 PNG library - runtime ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime webalizer recommends no packages. Versions of packages webalizer suggests: ii apache2-mpm-prefork [htt 2.2.9-10+lenny9 Apache HTTP Server - traditional n -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
