[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

N/A Re: [alerts-security] [DLA 20-1] munin security update

On 08/07/2014 04:48 PM, Holger Levsen wrote:
Package        : munin
Version        : 1.4.5-3+deb6u1
CVE ID         : CVE-2012-3512 CVE-2013-6048 CVE-2013-6359

[ Christoph Biedl ]
* munin-node: more secure state file handling, introducing a new plugin
   state directory root, owned by uid 0. Then each plugin runs in its own
   UID plugin state directory, owned by that UID. (Closes: #684075),
   (Closes: #679897), closes CVE-2012-3512.
* plugins: use runtime $ENV{MUNIN_PLUGSTATE}. So all properly written
   plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now -
   please report plugins that are still using /var/lib/munin/plugin-state/ -
   as those  might pose a security risk!
* Validate multigraph plugin name, CVE-2013-6048.
* Don't abort data collection for a node due to malicious node, fixing
   munin#1397, CVE-2013-6359.

Not used, we use Munin 2.

Frank Baalbergen - System / Network Engineer
T +31 (0)10 2760434 | frank.baalbergen@mendix.com | www.mendix.com

Reply to: