CAN-2005-1527
There is a major vulnerability in the awstats log analyzer, versions 6.4 and lower. Basically, awstats passes a string from the log file straight to Perl’s eval() (which is truly an awful idea, from both security and performance standpoint). Naturally this leads to pwnage if you can get Apache to log a particularly misformed request.
And how does a poor webmaster find out about this vulnerability? No, not by running apt-get update; apt-get upgrade on my Debian box; but by noticing the advisory accidentally while browsing Gentoo forums. Turns out, it has been known for quite some time under a number of names (Gentoo GLSA-200508-07, CAN-2005-1527, and Ubuntu USN-167-1, among others). The fact that Debian does not have an advisory or a patched package out really pisses me off. What kind of a two-bit distro lets critical security breaches remain unpatched for two weeks? Webapps are the one thing that must be patched bloody instantly. So, if you are a poor unfortunate Debian user, go download the fixed awstats_6.4-1ubuntu1_all.deb package from Ubuntu right now and be safe.
And, if you are a poor unfortunate Debian user, pay attention to Gentoo and Ubuntu security advisories. It seems those two distros are a bit more security conscious than Debian.