[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: monit/CVE-2016-7067: call for testing

On 2016-11-30 14:11:31, Jonas Meurer wrote:
> Hi LTS list,
> I spent the last six hours backporting the CVE-2016-7067 patch[1] to
> monit 5.4 from Debian Wheezy. A lot of manual backporting work was needed.
> I already tested the resulting package on a productive Wheezy system
> running monit and verified that it
> *) installs and upgrades cleanly
> *) indeed fixes the CSRF vulnerability:
>    - tested with POST request lacking the CSRF protection token
>    - tested with triggering status change over a GET request
> *) adds a "secure" flag if request comes over HTTPS
> *) doesn't introduce regressions to the basic functionality of monit
> Still, as the patch is rather intrusive and only tested by me so far,
> I'm asking for help: both testing the packages and reviewing the patch
> would be much appreciated.
> Wrt reviewing, the patch includes detailed documentation about what I
> did in order to backport the CSRF protection.
> The debdiff of monit 5.4-2+deb7u1 is attached to this mail. Source
> packages and binary packages for amd64 can be found here:
> https://people.debian.org/~mejo/wheezy-lts/


I have independently produced a similar patch while working on this
issue. (I had forgotten to assign myself the issue, my fault, sorry.)

I can vouch for the approach taken in the patch, because I have
essentially taken the exact same approach.

I have not tested the patch, but it seems your testing is extensive
enough that I do not think it is worth for me to waste any more of our
time on this.

So I would give this a green light from me. Maybe give a day or two to
allow users to test the actual package if they wish.

Good job!


Celui qui ne connaît pas l'histoire est condamné à la revivre.
                        - Karl Marx

Reply to: