On Feb 23, 2017 11:52 AM, "Holger Levsen" wrote:
tomorrow, or at least until upstream (cc:ed) has confirmed this is the
right patch?
The patch is indeed quite minimal, and address the issue. It therefore
looks very ok to me.
Note that I did not plan to take it as is, but use the 2.999.x code
control: notfound -1 2.999.6-1
# confirmed by upstream
--
cheers,
Holger
signature.asc
Description: Digital signature
Processing control commands:
> notfound -1 2.999.6-1
Bug #855705 [munin] munin: CVE-2017-6188: munin-cgi-graph local file write
vulnerability
Ignoring request to alter found versions of bug #855705 to the same values
previously set
--
855705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=85
Hi Holger,
On Thu, Feb 23, 2017 at 10:52:10AM +, Holger Levsen wrote:
> Hi Salvatore,
>
> On Thu, Feb 23, 2017 at 09:44:33AM +0100, Salvatore Bonaccorso wrote:
> > I prepared an update for jessie-security. could you verify that the
> > packages at https://people.debian.org/~carnil/tmp/munin/
Hi Salvatore,
On Thu, Feb 23, 2017 at 09:44:33AM +0100, Salvatore Bonaccorso wrote:
> I prepared an update for jessie-security. could you verify that the
> packages at https://people.debian.org/~carnil/tmp/munin/ are still
> functioning as expected?
please wait until releasing this until 2.0.31 h
On 23. 02. 2017 09:44, Salvatore Bonaccorso wrote:
> I prepared an update for jessie-security. could you verify that the
> packages at https://people.debian.org/~carnil/tmp/munin/ are still
> functioning as expected?
Thanks for the update! I installed your packages and they work as
expected with m
Hi
I prepared an update for jessie-security. could you verify that the
packages at https://people.debian.org/~carnil/tmp/munin/ are still
functioning as expected?
Regards,
Salvatore
On 21. 02. 2017 15:01, Holger Levsen wrote:
> Did you check whether 2.0.6 is affected as well? 2.999.6?
No, I did not check 2.0.6 or 2.999.6.
Parameter handling seems to have been rewritten in 2.999.6. Looking at
the source, it does not seem to be vulnerable to this specific problem:
https://git
Processing control commands:
> forwarded -1 https://github.com/munin-monitoring/munin/issues/721
Bug #855705 [munin] munin-cgi-graph local file write vulnerability
Set Bug forwarded-to-address to
'https://github.com/munin-monitoring/munin/issues/721'.
> tags -1 + upstream
Bug #855705 [munin] muni
control: forwarded -1 https://github.com/munin-monitoring/munin/issues/721
control: tags -1 + upstream
Hi Tomaž,
On Tue, Feb 21, 2017 at 02:42:26PM +0100, Tomaž Šolc wrote:
> Munin package in Jessie has a local file write vulnerability when CGI graphs
> are
> enabled. Setting multiple "upper_lim
Package: munin
Version: 2.0.25-1
Severity: grave
Tags: security patch
Justification: user security hole
Dear Maintainers,
Munin package in Jessie has a local file write vulnerability when CGI graphs are
enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible
11 matches
Mail list logo
