Your message dated Tue, 14 Aug 2012 20:57:00 +0000 with message-id <e1t1oae-0007us...@franck.debian.org> and subject line Bug#682869: fixed in munin 2.0.5-1 has caused the Debian Bug report #682869, regarding munin: insecure/misleading apache configuration (authentication bypass) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 682869: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682869 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: munin Version: 2.0.2-1 Severity: grave Tags: security Justification: user security hole The default apache configuration shipped and automatically enabled by munin is insecure, because it includes an authentication bypass. The config intends to restrict access to the graphs to localhost: | <Directory /var/cache/munin/www> | Order allow,deny | Allow from localhost 127.0.0.0/8 ::1 | .... Unfortunately this restriction does not apply to scripts like /usr/lib/cgi-bin/munin-cgi-graph or | ScriptAlias /munin-cgi /usr/lib/cgi-bin/munin-cgi-html So just by going http://$IP/munin-cgi you get to know what you need (some paths may be wrong) and you can look at graphs by going to for example http://$IP/cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/processes-day.png. This works with a freshly installed munin, munin-node, apache2 without any further configuration. Note that removing /etc/apache2/conf.d/munin is *not* a workaround for this issue, because /cgi-bin/munin-cgi-graph still works. This issue is related to #649520. Helmut
--- End Message ---
--- Begin Message ---Source: munin Source-Version: 2.0.5-1 We believe that the bug you reported is fixed in the latest version of munin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 682...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Holger Levsen <hol...@debian.org> (supplier of updated munin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 14 Aug 2012 19:12:54 +0200 Source: munin Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc Architecture: source all Version: 2.0.5-1 Distribution: unstable Urgency: low Maintainer: Munin Debian Maintainers <packag...@munin-monitoring.org> Changed-By: Holger Levsen <hol...@debian.org> Description: munin - network-wide graphing framework (grapher/gatherer) munin-async - network-wide graphing framework (async master/client) munin-common - network-wide graphing framework (common) munin-doc - network-wide graphing framework (documentation) munin-node - network-wide graphing framework (node) munin-plugins-core - network-wide graphing framework (plugins for node) munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod munin-plugins-java - network-wide graphing framework (java plugins for node) Closes: 682869 683064 684170 684171 Changes: munin (2.0.5-1) unstable; urgency=low . [ Holger Levsen ] * New upstream versions, fixing lots of bugs (including a regression in munin-cgi-graph preventing it from caching at all (Closes: #683064)) and adding documentation and manpages. See upstream ChangeLog for the full list. * Remove workaround concerning java-plugins (667493) in debian/rules as upstream has fixed this in e7e29c4 in 2.0.3. * munin-async.init: - run munin-async as munin-async user (Closes: #684171) - use stop function from munin-node.init to make it actually stop it (Closes: #684170). In the future we should replace both initscripts with saner rewrites. . [ Helmut Grohne ] * Move cgi scripts to /usr/lib/munin/cgi. (Closes: #682869) Checksums-Sha1: 0690d9ddb6a865dd068f4836e9093d21f65e13bb 2348 munin_2.0.5-1.dsc 5b9770af3042275f8d0b55077be6088d59834067 1319398 munin_2.0.5.orig.tar.gz f0b91b20d25c1c03df5541083aeb91e2f512933a 50152 munin_2.0.5-1.diff.gz c143973ddbd07b43cc386557cbdc7ced3337ff3e 125126 munin-node_2.0.5-1_all.deb 697fc4e6cea41269d80a98c7825a97744affd1a9 302088 munin-plugins-core_2.0.5-1_all.deb c30a5abc4388e367fd26dd203f90c0acbaa1440d 152244 munin-plugins-extra_2.0.5-1_all.deb 518b3af205e959543d9f6645bc75a97abc28ee7d 145132 munin-plugins-java_2.0.5-1_all.deb 850e90c3ec47cfe03cf869d14f272ca58b8950b1 198780 munin_2.0.5-1_all.deb 30cecd3763b626eda75efe3f7aa1e41d3af6a283 92980 munin-common_2.0.5-1_all.deb 7888d69f9170c59913cabfcbe54d6d227b2b2a95 80898 munin-async_2.0.5-1_all.deb e33707886526b886e507eb2bd2aba47679486057 209920 munin-doc_2.0.5-1_all.deb Checksums-Sha256: be0e7c8cc6dc7ed7e385403ec27990d512808777976a36a04a78963ebb503b38 2348 munin_2.0.5-1.dsc 927b9b557343ad031b55b401eb1542db03d78a48a64797f5fed6ad58fc2c8785 1319398 munin_2.0.5.orig.tar.gz 6d7680318438ea207ac7ed2f9106cccc19ed3411efb1e5b963e54c027bce7164 50152 munin_2.0.5-1.diff.gz 585b8e1d51d2f2f0fd8c37927f526552f5a81f5b91dc29a4a4e6769013f5f274 125126 munin-node_2.0.5-1_all.deb bf2adf8bcf4b875301f4510592f5b125e6675ac55d7cb8b69d43c236ddac23ae 302088 munin-plugins-core_2.0.5-1_all.deb 4941a32e5c77a09c4567aca95e874f07bf41a8915b92796f2abf661b841315a2 152244 munin-plugins-extra_2.0.5-1_all.deb 6db562e27cd6ed8996f39e0246d280a184f32aeaedbe050c45aa73640a259240 145132 munin-plugins-java_2.0.5-1_all.deb aa938b773a98099a35ae9dedb1bc9ac866cd798588b153bee5167aec2861b8c5 198780 munin_2.0.5-1_all.deb c1ba405cc23a29365356d8a48c341bbc6b1b7e46419006e1fb44ceb6766b8267 92980 munin-common_2.0.5-1_all.deb eadd69070b96f2fa8297b9a491f0f0427ca7ae6e59ca4b6f9beaaac6b6792699 80898 munin-async_2.0.5-1_all.deb c9bcbe13dc51e7b988dfe7e53e847ddd5d0451fc1adb32a28748631043e19368 209920 munin-doc_2.0.5-1_all.deb Files: b945213edf324d4ed706cba79f4f3d9f 2348 net optional munin_2.0.5-1.dsc 4e04e7837368d4579dab5bd59163c02b 1319398 net optional munin_2.0.5.orig.tar.gz 2dc0cd33342c3a33a9d8003ddacbd367 50152 net optional munin_2.0.5-1.diff.gz ac616f1b5bb9d4753291896c64217bda 125126 net optional munin-node_2.0.5-1_all.deb 92448a77cf059a5cda4394e3e9ea2d22 302088 net optional munin-plugins-core_2.0.5-1_all.deb cffa4b31a46613dd208cadc503cce343 152244 net optional munin-plugins-extra_2.0.5-1_all.deb 3c146e7275654f413ac345f0974d3bf9 145132 net optional munin-plugins-java_2.0.5-1_all.deb e794374fcef3f3c8c0cad264407f5498 198780 net optional munin_2.0.5-1_all.deb 704ce97864c10052a6c4487c8112a88e 92980 net optional munin-common_2.0.5-1_all.deb af6ff60cfc40f9c34c2d105cf27081b2 80898 net optional munin-async_2.0.5-1_all.deb 0c540c41133b1fe5c37aacedac0fbc4b 209920 doc optional munin-doc_2.0.5-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIVAwUBUCqKBgkauFYGmqocAQitrQ/+Nh6ms0qA0odguidV0tE5NkERjPP64+gz DkWV49e8f92PnWFg+BHQMA2IY8RQ2vIKIc38286ig04m9y3klr9C+5EUpSQRm/UL sNCA/3o1uao0G5JLcoovHVNs4oAKzcFxIFTvujlB6338Yxp/lPti7BIO7ENJjX/y +6JpVXZx9LtEsonEQEf9q9iMczxm7gTt9UnbHf/xcHZCFK7LIgRzWgwacAeIMk3l F/MnIQNSO2eBYLQG9luBqSNj2KeaOgipIV/eN1NsEZuFk/E+eZKUMhUFf07Pu3qT 5tgEK2z+ARf46iQsuoUr56gwGIEwKmOgbcdfQqMZDHfYe5mbz8UHL3gYwRMkNedn bq1w6QRt/ii+A3WppwLNc5Ov9lx0AOOUsTMD7e8SKwu+5JK2tnDsLh6thTqqNpCi FyQzUZgQNH0GQpxooiCSoFPHC4eO71107Zn3EMaSSoiTHwXNn7rYtLEiMn7+ql6s 3zYqImzQfr5Xbax9utA2DUJnuPfV/keRbwUrN9s46bozl4YQjo6BKfIuOPBhjBPH WU6lCBKeNz12znEH6lXK/ySyJh6pV4Casblrmg/vSdddo+5imvwABB+7rugPf/WZ gT4HOgonefyKaVeYSJvd00EZutjFD87GLa948ThkLY+hQwhYodsqXbisS8gfQGBG UQUpCDW/C7o= =mhTU -----END PGP SIGNATURE-----
--- End Message ---
