Re: monit/CVE-2016-7067: call for testing
On 2016-11-30 14:11:31, Jonas Meurer wrote:
> Hi LTS list,
> I spent the last six hours backporting the CVE-2016-7067 patch to
> monit 5.4 from Debian Wheezy. A lot of manual backporting work was needed.
> I already tested the resulting package on a productive Wheezy system
> running monit and verified that it
> *) installs and upgrades cleanly
> *) indeed fixes the CSRF vulnerability:
> - tested with POST request lacking the CSRF protection token
> - tested with triggering status change over a GET request
> *) adds a "secure" flag if request comes over HTTPS
> *) doesn't introduce regressions to the basic functionality of monit
> Still, as the patch is rather intrusive and only tested by me so far,
> I'm asking for help: both testing the packages and reviewing the patch
> would be much appreciated.
> Wrt reviewing, the patch includes detailed documentation about what I
> did in order to backport the CSRF protection.
> The debdiff of monit 5.4-2+deb7u1 is attached to this mail. Source
> packages and binary packages for amd64 can be found here:
I have independently produced a similar patch while working on this
issue. (I had forgotten to assign myself the issue, my fault, sorry.)
I can vouch for the approach taken in the patch, because I have
essentially taken the exact same approach.
I have not tested the patch, but it seems your testing is extensive
enough that I do not think it is worth for me to waste any more of our
time on this.
So I would give this a green light from me. Maybe give a day or two to
allow users to test the actual package if they wish.
Celui qui ne connaît pas l'histoire est condamné à la revivre.
- Karl Marx