I did some research on #758883: 1) CVE-2014-5338 was fixed in 1.2.5i4 with this commit http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660abdeaaaa6c459a4aa3ce8e07722
The actions.py change should work as is. The htmllib.py part of the patch needs some minor adjusting but should work. 2) CVE-2014-5339 was also fixed in 1.2.5i4 with this commit http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=78c0c2779393a822f62924c662b8022572a1be9c The 1.2.2p3 version of the code is if not html.has_var('selection'): sel_id = file('/proc/sys/kernel/random/uuid').read().strip() html.add_var('selection', sel_id) return html.var('selection') Whereas the 1.2.5i4 version uses if not html.has_var('selection'): sel_id = lib.gen_id() html.add_var('selection', sel_id) else: sel_id = html.var('selection') # Avoid illegal file access by introducing .. or / if not re.match("^[-0-9a-zA-Z]+$", sel_id): return lib.gen_id() else: return sel_id lib.gen_id doesn't exist in 1.2.2p3 so the patch won't word. But maybe the patch could be adapted to do the same check around the old way? 3) CVE-2014-5340 was also fixed in 1.2.5i4 with this commit http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0fe2a45b299a8f5c5da332410eec2c45aac2ba1e which uses the python ast library if it exists. ast is a standard lib and is available on wheezy. This patch should work (might need a little adjusting, but looks ok) It would be best to move to a release newer than 1.2.5i4 to fix these (and other things) but in the interest of getting check-mk back in jessie, maybe it would make sense to patch 1.2.2p3? Thanks, -- Matt Taggart tagg...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
