munin-cgi-graph: remote users can fill the /tmp filesystem

Debian Bug report logs - #668667
munin-cgi-graph: remote users can fill the /tmp filesystem

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: munin-cgi-graph: remote users can fill the /tmp filesystem

Date: Fri, 13 Apr 2012 23:51:23 +0200

Package: munin
Version: 2.0~rc4-1
Severity: important
Tags: security

printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

Provided that the filename actually exists, munin will render the image
and store it as
/tmp/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo.
By choosing a unique string instead of foo for each request an adversary
is able to create one png file per http request none of which are ever
deleted. He is thus able to exhaust the filesystem for /tmp. The issue
gets worse when /tmp is a tmpfs.

Again this issue seems to only affect the 2.x branch (sid).

Helmut

Message #14 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>

To: Kurt Seifried <kseifried@redhat.com>

Cc: oss-security@lists.openwall.com, Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>, 668667@bugs.debian.org

Subject: Re: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Tue, 17 Apr 2012 07:34:40 +0200

Hi Kurt,

Please always CC the bug report when adding detail to it. Doing it now
for you.

On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote:
> > [3] Remote users can fill /tmp filesystem: Red Hat would not
> > consider this to be a security flaw => no RH BTS entry.
> > 
> > Original report: 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667
> 
> I reread this one a few times, I'm not clear on what:
> 
> ==========
> printf 'GET
> /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo
> HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc
> localhost 80
> 
> Provided that the filename actually exists, munin will render the image
> ==========
> 
> means exactly, does the file vmstat-day.png need to exist where? It
> seems like if the image is of any size (say 20k or more) the
> amplification (each get request = 20k of tmp space usage) and the
> files have to be deleted manually it might qualify as a DoS.
> 
> helmut@subdivi.de can you shed more light on this?

The basic requirement is that a plugin called vmstat is configured for
the node localhost.localdomain. I just picked it as an example, cause it
is present on my system. In practise any plugin for any host will do.

The filling of the disk works by choosing a unique query string for each
request, because munin "caches" all theses images without ever deleting
them and includes the query string in the filename. So you are right,
that we get a base amplification of 20k/request.

In addition munin parses parts of the query string. You are allowed to
modify the size of the image. By choosing a path
"....png?size_x=20000&size_y=20000&uniquestuff" you can do the same
attack while simultaneously using a large image size. The raw image
would be 381M (assuming 8bits/pixel) in this case. A png version will
likely be smaller, say 4M? So now you have an amplification of
4M/request. Note that this query can get a node into swapping, because
rrdtool needs to create the whole image in main memory.

Hope this helps

Helmut

Message #19 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: oss-security@lists.openwall.com

Cc: Helmut Grohne <helmut@subdivi.de>, Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>, 668667@bugs.debian.org

Subject: Re: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Tue, 17 Apr 2012 23:04:56 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 11:34 PM, Helmut Grohne wrote:
> Hi Kurt,
> 
> Please always CC the bug report when adding detail to it. Doing it
> now for you.
> 
> On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote:
>>> [3] Remote users can fill /tmp filesystem: Red Hat would not 
>>> consider this to be a security flaw => no RH BTS entry.
>>> 
>>> Original report: 
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667
>> 
>> I reread this one a few times, I'm not clear on what:
>> 
>> ========== printf 'GET 
>> /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo
>>
>> 
HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc
>> localhost 80
>> 
>> Provided that the filename actually exists, munin will render the
>> image ==========
>> 
>> means exactly, does the file vmstat-day.png need to exist where?
>> It seems like if the image is of any size (say 20k or more) the 
>> amplification (each get request = 20k of tmp space usage) and
>> the files have to be deleted manually it might qualify as a DoS.
>> 
>> helmut@subdivi.de can you shed more light on this?
> 
> The basic requirement is that a plugin called vmstat is configured
> for the node localhost.localdomain. I just picked it as an example,
> cause it is present on my system. In practise any plugin for any
> host will do.

Is this the default configuration?

> In addition munin parses parts of the query string. You are allowed
> to modify the size of the image. By choosing a path 
> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the
> same attack while simultaneously using a large image size. The raw
> image would be 381M (assuming 8bits/pixel) in this case. A png
> version will likely be smaller, say 4M? So now you have an
> amplification of 4M/request. Note that this query can get a node
> into swapping, because rrdtool needs to create the whole image in
> main memory.
> 
> Hope this helps

Ouch.

> Helmut


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjkt4AAoJEBYNRVNeJnmTzqwQAKn7u4+dg9mYpMuAAC14fIYh
JGQGLSRJ98s3IgH14dOO6q9nASErz5wBPhcTnTwOKOLAdbbFHU5Z1DKm+ARyLMXw
XPIGHrdTb5TkWvsRKilA7iIbUhaXuMckELJj2WWi5LdHvzVLG8mEivQQKMtSY8b1
Wmp0JmDguHpqcToYq4uwYA1O22fHxwPjBFnsZ6A2HjLtMwCUkZ6WZZEuc85+v2C5
utfJm3AYSRgW1mI24kLxTIsige88txXZpUt44Bx3T26UkUz2X4ebbO/z5slqXt7n
RLZ4IDWEs03yau8vJD6vuNtOvQ+p3SmQYeRr6GvEXYrem+mTPB6toKLUeRUr7fNR
+RO4syrQ1KMoGfcAlNJ9ide2qZHsByXseriSJ02yb0VYKqYD1peUo1wR3Kw/EBnC
lnWNfb54JmwJih4qzEpE/SKoVEgxTKfuJGT4QcZ1PDrABQSfOWc4v3bughgLNH6m
c/voNTCuk7XI0//hCj4qF9jx/SPAB0xnnxnhqgmPTCBUVB3WHlSK0V335DV4KIGm
9c4GqdEJ0lxtKWJpwpZbNBU00LksXpHFQHMjcJ+0Bc0B1CrbaL0Hi9+1/kWH0aYG
X+N6Ah6/eY1bP78B1rH91CqcSRm5fouIbY5QSraN7ZGvrKXAvrQrnRqdEj+XKYUL
YTFUs403T/QOG6KuIGhg
=/Jxz
-----END PGP SIGNATURE-----

Message #24 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>

To: Kurt Seifried <kseifried@redhat.com>

Cc: oss-security@lists.openwall.com, Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>, 668667@bugs.debian.org

Subject: Re: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Wed, 18 Apr 2012 07:16:21 +0200

On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote:
> On 04/16/2012 11:34 PM, Helmut Grohne wrote:
> > The basic requirement is that a plugin called vmstat is configured
> > for the node localhost.localdomain. I just picked it as an example,
> > cause it is present on my system. In practise any plugin for any
> > host will do.
> 
> Is this the default configuration?

I am not that sure about the defaults, because I changed them. However
running a Munin without any plugins is pointless. It is like running a
mail server that does not transport any mail. You don't even have to
guess the name of a configured plugin, because those images are linked
from the html. Finding a configured plugin is really no issue on any
sane munin installation. Sane administrators may have to restricted
access to munin to themselves as to not expose the monitoring results to
the public though.

Helmut

Message #29 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: oss-security@lists.openwall.com

Cc: Helmut Grohne <helmut@subdivi.de>, Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>, 668667@bugs.debian.org

Subject: Re: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Wed, 18 Apr 2012 18:37:09 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2012 11:16 PM, Helmut Grohne wrote:
> On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote:
>> On 04/16/2012 11:34 PM, Helmut Grohne wrote:
>>> The basic requirement is that a plugin called vmstat is
>>> configured for the node localhost.localdomain. I just picked it
>>> as an example, cause it is present on my system. In practise
>>> any plugin for any host will do.
>> 
>> Is this the default configuration?
> 
> I am not that sure about the defaults, because I changed them.
> However running a Munin without any plugins is pointless. It is
> like running a mail server that does not transport any mail. You
> don't even have to guess the name of a configured plugin, because
> those images are linked from the html. Finding a configured plugin
> is really no issue on any sane munin installation. Sane
> administrators may have to restricted access to munin to themselves
> as to not expose the monitoring results to the public though.
> 
> Helmut

If anyone can comment on this (default/not), and if you install a
plugin does it expose it publicly or does the administrator have to
enable remote access?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPj141AAoJEBYNRVNeJnmT8d8P/A/A0j1ruHMoKQitgRHMoY/o
c+BIoadQGo5vqoi+wwbLa7gt2ftUQt88ETYILQmL9VkPmgMr9UGnh86eDk66HRnv
vda9+DmVIJ+DfuKsNFQp4uwCr+pwIW+wpCLoB0m2zAuUN0aNYm2wVmKHyRtg6hk6
7dr9lG5464Z5F+qNQqN/x+S0muNklcOL4P0Eu/jxpR8GQSNglU5CVRWUJYJu8Vpv
stIPEaQujiSuw0WVM/t42cYBY0zGmZvT4Ar7AREg/ORj+GPxJqgKR/gG8yvI/QTV
ffk1xaI7ewvjTo2fmCvyLYzUNgGzR2Ih45GKOzbqY2vxhE2DxLxwRUKwd6ntZjpl
qJjidYO4RlSnroQisCjBdscdGgDKdnsDBO3s0mnJ7DxtRUf1CpHX4Ou8v0SeoFxr
slE8w1WMF4I7/G1U6ZlZiM62mnM/xYRzwuoCcMzy5S9MvZRiRlMO8UbJyCyBkoct
QPFr1eHd6Q5UkGeeyGon9xmjPbEdi0abI0fghHvN8p72OKcKzMq3+HCmW1DhrHK/
V+WbewsEiCemlEhYR5Bk3htDOtfytO71KDUTVKg1w56qLe/kBlUBjc7SgHFWxiYS
+f4F+RXaVRi1mAX/qst1Dq9vH78afraPiZvJEBSaon2vR+7uiyYZxf8K/prfz/yn
OwKeVEJDB874Z2tBNQ6H
=bwVP
-----END PGP SIGNATURE-----

Message #34 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Kenyon Ralph <kenyon@kenyonralph.com>

To: Kurt Seifried <kseifried@redhat.com>, 668667@bugs.debian.org

Cc: oss-security@lists.openwall.com, Helmut Grohne <helmut@subdivi.de>, Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>

Subject: Re: Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Wed, 18 Apr 2012 18:23:46 -0700

[Message part 1 (text/plain, inline)]

On 2012-04-18T18:37:09-0600, Kurt Seifried <kseifried@redhat.com> wrote:
> On 04/17/2012 11:16 PM, Helmut Grohne wrote:
> > On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote:
> > > On 04/16/2012 11:34 PM, Helmut Grohne wrote:
> > > > The basic requirement is that a plugin called vmstat is
> > > > configured for the node localhost.localdomain. I just picked it
> > > > as an example, cause it is present on my system. In practise
> > > > any plugin for any host will do.
> > > 
> > > Is this the default configuration?
> > 
> > I am not that sure about the defaults, because I changed them.
> > However running a Munin without any plugins is pointless. It is
> > like running a mail server that does not transport any mail. You
> > don't even have to guess the name of a configured plugin, because
> > those images are linked from the html. Finding a configured plugin
> > is really no issue on any sane munin installation. Sane
> > administrators may have to restricted access to munin to themselves
> > as to not expose the monitoring results to the public though.
> > 
> > Helmut
> 
> If anyone can comment on this (default/not), and if you install a
> plugin does it expose it publicly or does the administrator have to
> enable remote access?

The packaging of munin node determines whether it will install
symlinks for enabling plugins. The packaging of munin master
determines whether a configuration for your httpd is installed and
activated.

On Debian, symlinks to enable plugins are installed by default, and an
apache2 configuration is automatically activated. So, on Debian, if
your httpd is publicly-accessible, the munin pages and CGI will be
publicly-accessible.

-- 
Kenyon Ralph

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 668667@bugs.debian.org

Cc: Kurt Seifried <kseifried@redhat.com>, oss-security@lists.openwall.com, Helmut Grohne <helmut@subdivi.de>, "Steven M. Christey" <coley@linus.mitre.org>, Jan Lieskovsky <jlieskov@redhat.com>

Subject: Re: [Packaging] Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Thu, 19 Apr 2012 08:29:46 +0200

On Donnerstag, 19. April 2012, Kenyon Ralph wrote:
> On Debian, symlinks to enable plugins are installed by default, and an
> apache2 configuration is automatically activated. So, on Debian, if
> your httpd is publicly-accessible, the munin pages and CGI will be
> publicly-accessible.

though on Debian, apache is only accessable on localhost per default.

Message #46 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Steve Schnepp <steve.schnepp@gmail.com>

To: Kurt Seifried <kseifried@redhat.com>, 668667@bugs.debian.org

Cc: oss-security@lists.openwall.com, Helmut Grohne <helmut@subdivi.de>, Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>

Subject: Re: Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Fri, 27 Apr 2012 17:41:48 +0200

On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <kseifried@redhat.com> wrote:
>> In addition munin parses parts of the query string. You are allowed
>> to modify the size of the image. By choosing a path
>> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the
>> same attack while simultaneously using a large image size. The raw
>> image would be 381M (assuming 8bits/pixel) in this case. A png
>> version will likely be smaller, say 4M? So now you have an
>> amplification of 4M/request. Note that this query can get a node
>> into swapping, because rrdtool needs to create the whole image in
>> main memory.

> Ouch.

I believe I fixed the bug in r4825, since :
- url with query string aren't stored permanently anymore.
- /tmp isn't used anymore per default (to fix #668536)

Could you confirm that ?

OTOH, the issue about very big imgs that gets the cgi into swapping
isn't the same bug to be.

As Helmut noticed, there is already a size cap in rrd, so do I still
need implement one in munin ? If yes, would you mind to file another
bugreport (for RAM exhaustion) ?

Thx !

r4825: http://munin-monitoring.org/changeset/4825

--
Steve Schnepp
http://blog.pwkf.org/

Message #51 received at 668667@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: Steve Schnepp <steve.schnepp@gmail.com>

Cc: 668667@bugs.debian.org, oss-security@lists.openwall.com, Helmut Grohne <helmut@subdivi.de>, Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey" <coley@linus.mitre.org>

Subject: Re: Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws

Date: Sun, 29 Apr 2012 00:55:47 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2012 09:41 AM, Steve Schnepp wrote:
> On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <kseifried@redhat.com>
> wrote:
>>> In addition munin parses parts of the query string. You are
>>> allowed to modify the size of the image. By choosing a path 
>>> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the 
>>> same attack while simultaneously using a large image size. The
>>> raw image would be 381M (assuming 8bits/pixel) in this case. A
>>> png version will likely be smaller, say 4M? So now you have an 
>>> amplification of 4M/request. Note that this query can get a
>>> node into swapping, because rrdtool needs to create the whole
>>> image in main memory.

Please use CVE-2012-2147 for this issue (specifying the size = lots of
ram/storage space used up during image creation).

> 
>> Ouch.
> 
> I believe I fixed the bug in r4825, since : - url with query string
> aren't stored permanently anymore. - /tmp isn't used anymore per
> default (to fix #668536)
> 
> Could you confirm that ?
> 
> OTOH, the issue about very big imgs that gets the cgi into
> swapping isn't the same bug to be.
> 
> As Helmut noticed, there is already a size cap in rrd, so do I
> still need implement one in munin ? If yes, would you mind to file
> another bugreport (for RAM exhaustion) ?
> 
> Thx !
> 
> r4825: http://munin-monitoring.org/changeset/4825
> 
> -- Steve Schnepp http://blog.pwkf.org/


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPnOXzAAoJEBYNRVNeJnmTLncP/RHZ+19XnFy/mLRv+CqqwOSB
MEwn6nDbgN8+MP4uhq0542cOy0611VYpB8ftPJxWBPRWhLPuyYTtaxe87esYmLp6
JTO/OPonytkmWrBtD7Ta7amxiJAJFERjoZVuByiY+aZAX9WsVYiCpzlAl7E8NL5u
L11RuZU7vsnn7vSsRomlKcQ/eRMHouUKqwcVB8GAW0vh4V2l+bpAorBTZvI1/zPX
QcDGYWX7w7GsmUXAe4P6TcpS9lXJDzHpYTf9YzSMLaPDDevhcoR+hwSdnia6Uz22
mpH2mf/d2vCY0o1FKWwR7ZDB7I8zdUmRSx96Umo/UikJknbHEc4zwfSYW2TefZIv
G8cGMSYo35i/chJpf23iIcvKIvkQSs+1FCHep7OLuF6R1P0XnxXx2q78v3GjZC6C
u6gSia1jT672xo1qEMArEOzj3h9/tNLt0YdIR+vTENYo/qhZf5DidbYZvIjlA24b
Krbz/Fbcf8ayzctwuWvju4Kep602eM002FnYowXbN9rziz636yIWqJiQMaPMHYYo
A7Y9qJFCUcophkaY0WAc6E1doM/+yKYduIsDbenXFoSqS6NFyjmlTfNA7rbxeWC3
HvDnM1tG5YLd2PpzfmvMZfyH95ora0ecAiqAbZyn/On4ddgh9jEdwn3E0wt6N3N3
h9sOLiYT90i3gZibguID
=E8X5
-----END PGP SIGNATURE-----

Message #58 received at 668667-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 668667-close@bugs.debian.org

Subject: Bug#668667: fixed in munin 2.0~rc6-1

Date: Sun, 13 May 2012 16:22:13 +0000

Source: munin
Source-Version: 2.0~rc6-1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive:

munin-async_2.0~rc6-1_all.deb
  to main/m/munin/munin-async_2.0~rc6-1_all.deb
munin-common_2.0~rc6-1_all.deb
  to main/m/munin/munin-common_2.0~rc6-1_all.deb
munin-doc_2.0~rc6-1_all.deb
  to main/m/munin/munin-doc_2.0~rc6-1_all.deb
munin-node_2.0~rc6-1_all.deb
  to main/m/munin/munin-node_2.0~rc6-1_all.deb
munin-plugins-core_2.0~rc6-1_all.deb
  to main/m/munin/munin-plugins-core_2.0~rc6-1_all.deb
munin-plugins-extra_2.0~rc6-1_all.deb
  to main/m/munin/munin-plugins-extra_2.0~rc6-1_all.deb
munin-plugins-java_2.0~rc6-1_all.deb
  to main/m/munin/munin-plugins-java_2.0~rc6-1_all.deb
munin_2.0~rc6-1.diff.gz
  to main/m/munin/munin_2.0~rc6-1.diff.gz
munin_2.0~rc6-1.dsc
  to main/m/munin/munin_2.0~rc6-1.dsc
munin_2.0~rc6-1_all.deb
  to main/m/munin/munin_2.0~rc6-1_all.deb
munin_2.0~rc6.orig.tar.gz
  to main/m/munin/munin_2.0~rc6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 668667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 13 May 2012 18:01:59 +0200
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0~rc6-1
Distribution: unstable
Urgency: low
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 668536 668666 668667 668778 669230 669816 670428 670811
Changes: 
 munin (2.0~rc6-1) unstable; urgency=low
 .
   [ Holger Levsen ]
   * New upstream release candidate, quoting the upstream Changelog:
     - Many bugfixes in munin-cgi-graph:
       - if url parameters are not valid, send HTTP 404 instead of 500
       - move the generation of png via cgi under /var/lib/munin/cgi-tmp/
         (Closes:  #668536)
       - don't cache URL with parameters anymore, and don't keep uncached URLs
         (Closes: #668667)
       - validate url characters (Closes: #668666)
       - add a max setting for cgi image size. (Closes: #670811)
     - Plugin fixes:
       - add explicit license for all plugins. (Closes: #670428)
       - hddtemp_smartctl: just use the device name as the labels
       - qmailscan: remove the use of tempfiles. (Closes: #668778)
   * munin.NEWS: document that "cgitmpdir /var/lib/munin/cgi-tmp" has to be
     set in munin.conf.
   * munin-node.postinst: chmod 755 /var/log/munin (Closes: #669230)
   * munin.postinst: make /var/lib/munin/cgi-tmp writable for group www-data.
 .
   [ Matthias Schmitz ]
   * Add installation of apache configuration to /etc/apache2/conf-availble as
     needed by Apache 2.4. (Closes: #669816)
Checksums-Sha1: 
 0d07849bbdbaf1eafc84a8641423b8e59cd465b6 2362 munin_2.0~rc6-1.dsc
 5d6bd4e6879b14be29fd3ece2785269f818fea3e 1317662 munin_2.0~rc6.orig.tar.gz
 39d1644c7d6d5760df9387ebe8afc1a7d764f9e0 49565 munin_2.0~rc6-1.diff.gz
 2f9d7e5d1f363f112e1f61b57ccf6c68353e9da7 121414 munin-node_2.0~rc6-1_all.deb
 551c02c54cbfd4e10d8dd413571e8bea172509ed 298678 munin-plugins-core_2.0~rc6-1_all.deb
 ef125a65167029800f3cb1a1fe1fc3e7bef22f5c 148960 munin-plugins-extra_2.0~rc6-1_all.deb
 4bbc9621c4a37ea3f38156d80fee2e7dac91b3b8 140808 munin-plugins-java_2.0~rc6-1_all.deb
 4a53f815b045b59e8d70cd27458c5f0cc2b6c48e 195032 munin_2.0~rc6-1_all.deb
 3b4c1ce1241707516a931db70cd6036af9b414ee 89724 munin-common_2.0~rc6-1_all.deb
 4263ab9b3ac1b59ef52b44c92aaaba807875d093 77518 munin-async_2.0~rc6-1_all.deb
 1bcd6fa58f0595497c9cafb424bdff0314c7d37d 207672 munin-doc_2.0~rc6-1_all.deb
Checksums-Sha256: 
 4ee53f7a70a85bfd22a644ab2ec57ba2b3d3453c98b2146e439a4f4b87948c5f 2362 munin_2.0~rc6-1.dsc
 a8e243d7cd334a7efeccdad743daef79c8e6340eb3d1974d22098caa0cf52e7c 1317662 munin_2.0~rc6.orig.tar.gz
 adb2de2db259d328de8d13fc4a86b447772ecf32d91b8eca25f610e5ee8dfa7b 49565 munin_2.0~rc6-1.diff.gz
 1d1d0a2b7899bd0c48d8a99fbb918b6fc6b4836ecdccb5eebb4989c94491f382 121414 munin-node_2.0~rc6-1_all.deb
 bcfceca2c3675c0f0769732f0b36802c1e8fc890c2e5275ee23b6fde4e2c969e 298678 munin-plugins-core_2.0~rc6-1_all.deb
 8707c354ba60f05baea50260531772d15c909e9b195cdb64c2206daec91d568a 148960 munin-plugins-extra_2.0~rc6-1_all.deb
 2118010d4d354e8422e4f42f294b28194e053c1544bb5475fa468073a4ab0fe9 140808 munin-plugins-java_2.0~rc6-1_all.deb
 453c70ec6a171946614f557b6ab45ac6f768e68a5127b3e10ce2927d39dbec21 195032 munin_2.0~rc6-1_all.deb
 9ff4cd51c936e14204b3af74ae64bcc003993ac3795459b15ab4b1773986bece 89724 munin-common_2.0~rc6-1_all.deb
 cb7aa37160bfdbec76480167cbc20d8440eaf9c54f21ef903e33a73188d3bf10 77518 munin-async_2.0~rc6-1_all.deb
 73cbb6a97b9f9438316747717823400b03ef1a5a33776d1c97299e8d38c0c850 207672 munin-doc_2.0~rc6-1_all.deb
Files: 
 1072d9edb098bd4bc58a5f8aabfc7e7f 2362 net optional munin_2.0~rc6-1.dsc
 af8eda191bb99fe6960bb507dd32f91d 1317662 net optional munin_2.0~rc6.orig.tar.gz
 72a4ea3c8d159fd224e8d22d8f277f47 49565 net optional munin_2.0~rc6-1.diff.gz
 ffa15a93d8db521505254aac82b2d695 121414 net optional munin-node_2.0~rc6-1_all.deb
 bf7c0e31df1ffd4bfc33768e0ec2af0b 298678 net optional munin-plugins-core_2.0~rc6-1_all.deb
 fa11d8532b090270b0e4bba11b99d982 148960 net optional munin-plugins-extra_2.0~rc6-1_all.deb
 4f517ed96c684e48dcd55132af1dd139 140808 net optional munin-plugins-java_2.0~rc6-1_all.deb
 3121f85a8016079d62d9ed0e81ac2712 195032 net optional munin_2.0~rc6-1_all.deb
 0bb77e23bff042ea0a1f593818d0cf72 89724 net optional munin-common_2.0~rc6-1_all.deb
 7f37be0dfabb32a018469be7a2e95cba 77518 net optional munin-async_2.0~rc6-1_all.deb
 274dd22454298ad7be7baf8cc631e111 207672 doc optional munin-doc_2.0~rc6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBT6/dOwkauFYGmqocAQh4EA/+JoQzrCTFVwkBr5E32DtUW/B0owt9xsOV
ZyexPa9DOn0xYCaoLPzcpJTLIK062Ob1JB0F+sSmjDB5qYEMzEAXgc+0Qvcc4RY7
0UhVHaijcKFZ6ojV+PxVo/gm/iEPKPUYEC+j0t9hNS2XudjA47opM0SIc7rxl4zY
g6uvPwXTHplb6SBVa6x38GWh60c2zaz0EkVujgPGOrvVDBfIDpbgWO+26W34PMLq
Zmgz/eZ5mNBtn3lPm6QnyYp2lauxbw6H8+xnW9+InSYWqDUelVW5poDXZSkMRPTQ
KDQUm2pycI9WjDP+d3DF5tL4HEM6W2oqJn6MvoxV918FW9f6zBmrG9stA6rKUFiq
GRexZ1BQ0pfvedgs9pEL9obZrQQQPZaxNiS6opdScpMX/mU2nG9WFgjfjnkzR3B6
iryYuDaEceIVnlcmflu8gv4sBk6oCJk2DfG/ONWPmHZ5nphEMThnQSpJ0s2+Q/pQ
LOIYujc+w3A7TS63leoecydoP8u41F6W87t9QG5IzgUTLnZt6IlrFOR/9/19RkME
LatbVUjL7Uwg28E6hcUoPAE3nhWhxe4peTQ6FNkEkovTwWwXtiyeZ3KzgnbKc56k
nvqwXBjKipxQGflFfmQnew9Tgcp0IcVFqPfbZB4VZw1u/wFEjF9zWlD25LzPbyHl
3IrCLBIiGF0=
=ECvX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.