Hi Raphael! Raphael Hertzog writes: > Hello Matt, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of check-mk: > https://security-tracker.debian.org/tracker/CVE-2017-9781 > > Would you like to take care of this yourself? > > The code in wheezy is different from the 1.4.x version which has been > patched upstream but I believe that a similar issue must exist since > I have seen no HTML escaping in any code showing errors.
The commit message explicitly references the 1.4 branch, but I also see that the code exists in 1.2.8p16 (buster/sid). For buster/sid I will update to new 1.4 based upstream with the patch. The 1.2.6p12-1 based versions in wheezy-backports-sloppy and jessie-backports are different still, but we should push to make those go away by getting buster fixed and backporting that to w-b-s, j-b-s, and w-b. I agree that the code is pretty different in 1.1.12p7-1 (wheezy). I would appreciate help generating a patch for that that version. > That said it really depends on whether user input ends > up in the error message associated to the various exceptions > and it's hard to tell from a quick look at the code without trying. > > The traceback itself seems to be output in <pre>%s</pre> but that doesn't > prevent XSS. > > In any case, if you mant to handle this yourself, please follow the > workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-...@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of check-mk updates > for the LTS releases. The check-mk source package is sort of weird, it uses tarballs within the orig.tar.gz, so using a normal debian package diff, or even patching at configure time doesn't work, it has to happen after the install step runs setup.sh. I am happy for the LTS team to prepare the wheezy update and I can help with testing. I will work on uploading a fixed 1.4 version to sid in the next day. Sound OK? -- Matt Taggart tagg...@debian.org
