monit / CVE-2016-7067
Just having a preliminary look at monit. By the looks of it, the
security issue appears to be that it doesn't support CSRF.
However, by the looks of it the patch (which adds CSRF support) is
fairly extensive and every single hunk fails to apply cleanly:
https://bitbucket.org/tildeslash/monit/commits/c6ec3820e627f85417053e6336de2987f2d863e3?at=master
As I result I imagine this would require recreating much of the patch
for wheezy-security.
While I agree this is a security issue, the fix is adding a fairly
significant new feature. Is this appropriate for wheezy-security?
[1]
⌁ [brian:~/tree/debian/debian-lts/wheezy/monit/monit-5.4] % patch -p1 --dry-run < raw.patch
checking file CHANGES
Hunk #1 FAILED at 22.
1 out of 1 hunk FAILED
checking file src/http/cervlet.c
Hunk #1 FAILED at 99.
Hunk #2 FAILED at 133.
Hunk #3 FAILED at 420.
Hunk #4 FAILED at 431.
Hunk #5 FAILED at 447.
Hunk #6 FAILED at 461.
Hunk #7 FAILED at 812.
Hunk #8 FAILED at 868.
Hunk #9 FAILED at 900.
Hunk #10 FAILED at 943.
Hunk #11 FAILED at 960.
Hunk #12 FAILED at 1665.
12 out of 12 hunks FAILED
can't find file to patch at input line 293
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/src/http/client.c b/src/http/client.c
|index d0f7a02..b4bb929 100644
|--- a/src/http/client.c
|+++ b/src/http/client.c
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
checking file src/http/processor.c
Hunk #1 FAILED at 241.
Hunk #2 FAILED at 249.
Hunk #3 FAILED at 285.
Hunk #4 FAILED at 442.
Hunk #5 FAILED at 574.
Hunk #6 FAILED at 727.
6 out of 6 hunks FAILED
checking file src/http/processor.h
Hunk #1 FAILED at 89.
Hunk #2 FAILED at 102.
2 out of 2 hunks FAILED
checking file src/util.c
Hunk #1 FAILED at 1385.
1 out of 1 hunk FAILED
checking file src/util.h
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: