Re: N/A Re: [alerts-security] [DLA 20-1] munin security update

To: debian-lts@lists.debian.org
Subject: Re: N/A Re: [alerts-security] [DLA 20-1] munin security update
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Date: Sat, 9 Aug 2014 16:19:06 +0200
Message-id: <[🔎] 20140809141906.GA25582@fantomas.sk>
Mail-followup-to: debian-lts@lists.debian.org
In-reply-to: <[🔎] 53E392B1.60803@mendix.com>
References: <201408071648.18092.holger@layer-acht.org> <[🔎] 53E392B1.60803@mendix.com>

On 08/07/2014 04:48 PM, Holger Levsen wrote:

Package        : munin
Version        : 1.4.5-3+deb6u1
CVE ID         : CVE-2012-3512 CVE-2013-6048 CVE-2013-6359

[ Christoph Biedl ]
* munin-node: more secure state file handling, introducing a new plugin
  state directory root, owned by uid 0. Then each plugin runs in its own
  UID plugin state directory, owned by that UID. (Closes: #684075),
  (Closes: #679897), closes CVE-2012-3512.
* plugins: use runtime $ENV{MUNIN_PLUGSTATE}. So all properly written
  plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now -
  please report plugins that are still using /var/lib/munin/plugin-state/ -
  as those  might pose a security risk!
* Validate multigraph plugin name, CVE-2013-6048.
* Don't abort data collection for a node due to malicious node, fixing
  munin#1397, CVE-2013-6359.


On 07.08.14 16:52, Frank Baalbergen wrote:

Not used, we use Munin 2.


pardon?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.

Depression is merely anger without enthusiasm.

Reply to:

References:
- N/A Re: [alerts-security] [DLA 20-1] munin security update
  - From: Frank Baalbergen <frank.baalbergen@mendix.com>

Prev by Date: Re: [DLA 25-2] python2.6 regression update
Next by Date: Re: squeeze-lts and the security tracker
Previous by thread: Re: [DLA 20-1] munin security update
Next by thread: Wordpress fix
Index(es):
- Date
- Thread