[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

xymon vulnerabilities in jessie, stretch and buster


I just had a look at xymon's vulnerabilities in jessie, stretch and buster.

Upstream claims some of these issues to be exploitable, among others the XSS
vulnerability. I plan to address at least this one in jessie.

I see that Moritz and Axel already discussed this on upstream's mailing list,
however the tracker has not been updated yet. Is anybody working on it? If not,
I can take some time to do it.

Buster and stretch are not far from 4.3.29, so, in case the security team wants
to address these issues, a version bump could maybe be considered? For jessie,
it could be worth inspecting the diff, but there were quite a few releases
between 4.3.17 and 4.3.29... I'm considering to cherry pick relevant changes for
the most important issues.

Christoph and Axel, do you have comments/suggestions regarding this?


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: