control: forwarded -1 https://github.com/munin-monitoring/munin/issues/721 control: tags -1 + upstream
Hi Tomaž, On Tue, Feb 21, 2017 at 02:42:26PM +0100, Tomaž Šolc wrote: > Munin package in Jessie has a local file write vulnerability when CGI graphs > are > enabled. Setting multiple "upper_limit" GET parameters allows overwriting any > file accessible to the www-data user. > > This was originally reported on GitHub by sstj here: > https://github.com/munin-monitoring/munin/issues/721 thank you for filing a bug report in the Debian BTS too, much appreciated! > Attached is a simple patch that fixes the problem. wow, that's even more appreciated! :) I've notified upstream via irc and left a note in the github issue and asked to do a 2.0.31 release too. Nonetheless we'll also need to fix this in 2.0.25-2 for Debian stable. Did you check whether 2.0.6 is affected as well? 2.999.6? -- cheers, Holger
signature.asc
Description: Digital signature
