munin: CVE-2017-6188: munin-cgi-graph local file write vulnerability

Debian Bug report logs - #855705
munin: CVE-2017-6188: munin-cgi-graph local file write vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tomaž Šolc <tomaz.solc@tablix.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: munin-cgi-graph local file write vulnerability

Date: Tue, 21 Feb 2017 14:42:26 +0100

[Message part 1 (text/plain, inline)]

Package: munin
Version: 2.0.25-1
Severity: grave
Tags: security patch
Justification: user security hole

Dear Maintainers,

Munin package in Jessie has a local file write vulnerability when CGI graphs are
enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible to the www-data user.

This was originally reported on GitHub by sstj here:

https://github.com/munin-monitoring/munin/issues/721

For example, requesting an URL like the following will create "/tmp/test":

http://.../munin-cgi/munin-cgi-graph/.../.../...-day.png?upper_limit=1&upper_limit=--output-file&upper_limit=/tmp/test

Attached is a simple patch that fixes the problem.

Best regards
Tomaž

[0002-fix-parameter-injection.patch (text/x-diff, attachment)]

Message #10 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Tomaž Šolc <tomaz.solc@tablix.org>, 855705@bugs.debian.org

Subject: Re: [Packaging] Bug#855705: munin-cgi-graph local file write vulnerability

Date: Tue, 21 Feb 2017 14:01:15 +0000

[Message part 1 (text/plain, inline)]

control: forwarded -1 https://github.com/munin-monitoring/munin/issues/721
control: tags -1 + upstream

Hi Tomaž,

On Tue, Feb 21, 2017 at 02:42:26PM +0100, Tomaž Šolc wrote:
> Munin package in Jessie has a local file write vulnerability when CGI graphs are
> enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
> file accessible to the www-data user.
> 
> This was originally reported on GitHub by sstj here:
> https://github.com/munin-monitoring/munin/issues/721

thank you for filing a bug report in the Debian BTS too, much appreciated!

> Attached is a simple patch that fixes the problem.

wow, that's even more appreciated! :)

I've notified upstream via irc and left a note in the github issue and asked
to do a 2.0.31 release too. Nonetheless we'll also need to fix this in
2.0.25-2 for Debian stable.

Did you check whether 2.0.6 is affected as well? 2.999.6?


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Tomaž Šolc <tomaz.solc@tablix.org>

To: Holger Levsen <holger@layer-acht.org>, 855705@bugs.debian.org

Subject: Re: [Packaging] Bug#855705: munin-cgi-graph local file write vulnerability

Date: Tue, 21 Feb 2017 15:22:17 +0100

[Message part 1 (text/plain, inline)]

On 21. 02. 2017 15:01, Holger Levsen wrote:
> Did you check whether 2.0.6 is affected as well? 2.999.6?

No, I did not check 2.0.6 or 2.999.6.

Parameter handling seems to have been rewritten in 2.999.6. Looking at
the source, it does not seem to be vulnerable to this specific problem:

https://github.com/munin-monitoring/munin/blob/2.999.6/lib/Munin/Master/Graph.pm#L557

Best regards
Tomaž

[signature.asc (application/pgp-signature, attachment)]

Message #26 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Toma?? ??olc <tomaz.solc@tablix.org>, 855705@bugs.debian.org

Cc: Holger Levsen <holger@layer-acht.org>, team@security.debian.org

Subject: Re: Bug#855705: [Packaging] Bug#855705: munin-cgi-graph local file write vulnerability

Date: Thu, 23 Feb 2017 09:44:33 +0100

Hi

I prepared an update for jessie-security. could you verify that the
packages at https://people.debian.org/~carnil/tmp/munin/ are still
functioning as expected?

Regards,
Salvatore

Message #31 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Tomaž Šolc <tomaz.solc@tablix.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 855705@bugs.debian.org

Cc: Holger Levsen <holger@layer-acht.org>, team@security.debian.org

Subject: Re: Bug#855705: [Packaging] Bug#855705: munin-cgi-graph local file write vulnerability

Date: Thu, 23 Feb 2017 10:58:15 +0100

[Message part 1 (text/plain, inline)]

On 23. 02. 2017 09:44, Salvatore Bonaccorso wrote:
> I prepared an update for jessie-security. could you verify that the
> packages at https://people.debian.org/~carnil/tmp/munin/ are still
> functioning as expected?

Thanks for the update! I installed your packages and they work as
expected with my Munin setup.

As far as I can see, they aren't vulnerable.

Best regards
Tomaž

[signature.asc (application/pgp-signature, attachment)]

Message #36 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Salvatore Bonaccorso <carnil@debian.org>, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Cc: Toma?? ??olc <tomaz.solc@tablix.org>, 855705@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#855705: [Packaging] Bug#855705: munin-cgi-graph local file write vulnerability

Date: Thu, 23 Feb 2017 10:52:10 +0000

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On Thu, Feb 23, 2017 at 09:44:33AM +0100, Salvatore Bonaccorso wrote:
> I prepared an update for jessie-security. could you verify that the
> packages at https://people.debian.org/~carnil/tmp/munin/ are still
> functioning as expected?

please wait until releasing this until 2.0.31 has been released by upstream
tomorrow, or at least until upstream (cc:ed) has confirmed this is the right patch?


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 855705@bugs.debian.org

Cc: Steve Schnepp <steve.schnepp@munin-monitoring.org>, Toma?? ??olc <tomaz.solc@tablix.org>, team@security.debian.org

Subject: Re: Bug#855705: [Packaging] Bug#855705: munin-cgi-graph local file write vulnerability

Date: Thu, 23 Feb 2017 12:58:25 +0100

Hi Holger,

On Thu, Feb 23, 2017 at 10:52:10AM +0000, Holger Levsen wrote:
> Hi Salvatore,
> 
> On Thu, Feb 23, 2017 at 09:44:33AM +0100, Salvatore Bonaccorso wrote:
> > I prepared an update for jessie-security. could you verify that the
> > packages at https://people.debian.org/~carnil/tmp/munin/ are still
> > functioning as expected?
> 
> please wait until releasing this until 2.0.31 has been released by upstream
> tomorrow, or at least until upstream (cc:ed) has confirmed this is the right patch?

Sure!

Regards,
Salvatore

Message #46 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 855705@bugs.debian.org

Subject: Re: [Packaging] Bug#855705: Bug#855705: munin-cgi-graph local file write vulnerability

Date: Thu, 23 Feb 2017 14:33:55 +0000

[Message part 1 (text/plain, inline)]

control: notfound -1 2.999.6-1
# confirmed by upstream

-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #51 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Steve Schnepp <steve.schnepp@munin-monitoring.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: team@security.debian.org, Salvatore Bonaccorso <carnil@debian.org>, 855705@bugs.debian.org, "Toma?? ??olc" <tomaz.solc@tablix.org>

Subject: Re: Bug#855705: [Packaging] Bug#855705: munin-cgi-graph local file write vulnerability

Date: Thu, 23 Feb 2017 19:24:20 +0100

[Message part 1 (text/plain, inline)]

On Feb 23, 2017 11:52 AM, "Holger Levsen" <holger@layer-acht.org> wrote:


tomorrow, or at least until upstream (cc:ed) has confirmed this is the
right patch?


The patch is indeed quite minimal, and address the issue. It therefore
looks very ok to me.

Note that I did not plan to take it as is, but use the 2.999.x code snippet
instead which doesn't have the bug.

I'll plan to do a secfix upstream release tomorrow so you'll have the
choice of which patch you take ;-)

Thanks !
-- 
Steve

[Message part 2 (text/html, inline)]

Message #58 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: munin-monitoring/munin <reply+00216bbf9d66e2479937b9c421c3c340cfa6b8fddbbc151992cf0000000114c7c0f392a169ce0a00b366@reply.github.com>, 855705@bugs.debian.org

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Fri, 24 Feb 2017 11:24:42 +0000

[Message part 1 (text/plain, inline)]

control: found -1 2.0.6-4+deb7u2
control: tags -1 pending
thanks

On Fri, Feb 24, 2017 at 01:37:55AM -0800, mejo- wrote:
> I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's vulnerable too.
> The proposed patch by Tomaž Šolc from [Debian Bugreport #855705](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705#5) fixes this particular vulnerability.

thanks, mejo, for confirming this both!


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #69 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: 855705@bugs.debian.org

Cc: Steve Schnepp <steve.schnepp@munin-monitoring.org>, Holger Levsen <holger@layer-acht.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Fri, 24 Feb 2017 21:00:00 +0100

[Message part 1 (text/plain, inline)]

Hi Holger, hi Steve,

On Fri, 24 Feb 2017 11:24:42 +0000 Holger Levsen <holger@layer-acht.org>
wrote:
> On Fri, Feb 24, 2017 at 01:37:55AM -0800, mejo- wrote:
> > I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's
> > vulnerable too.
> > The proposed patch by Tomaž Šolc from Debian Bugreport #855705
> > fixes this particular vulnerability.
> 
> thanks, mejo, for confirming this both!

I already prepared 2.0.6-4+deb7u3 with Thomaž' patch for
wheezy-security. As Steve announced an upstream fix for the 2.4 branch
for today, I waited some longer with the upload.

On Thu, 23 Feb 2017 19:24:20 +0100 Steve Schnepp
<steve.schnepp@munin-monitoring.org> wrote:
> The patch is indeed quite minimal, and address the issue. It therefore
> looks very ok to me.
>
> Note that I did not plan to take it as is, but use the 2.999.x code
> snippet instead which doesn't have the bug.
>
> I'll plan to do a secfix upstream release tomorrow so you'll have the
> choice of which patch you take ;-)

Steve, do you still plan to do the upstream fix anytime soon? Also, as
you intend to backport the changes from munin 2.999, I gusss that your
fix will be much more intrusive, right?

I'm inclined to upload munin 2.0.6-4+deb7u3 with Thomaž' patch to
wheezy-security tomorrow.

Holger, do you take care of the upload to unstable yourself? Probably
there a straightforward patch (without too much new code) would be good
as well, to simplify/speed up the transition to Stretch.

Cheers,
 jonas

[signature.asc (application/pgp-signature, attachment)]

Message #74 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Jonas Meurer <jonas@freesources.org>

Cc: 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Fri, 24 Feb 2017 20:30:44 +0000

[Message part 1 (text/plain, inline)]

On Fri, Feb 24, 2017 at 09:00:00PM +0100, Jonas Meurer wrote:
> I already prepared 2.0.6-4+deb7u3 with Thomaž' patch for
> wheezy-security.

thanks for this, though maybe the patch from 2.0.31 will be better?

(once 2.0.31 is released which Steve planned to do today…)

> I'm inclined to upload munin 2.0.6-4+deb7u3 with Thomaž' patch to
> wheezy-security tomorrow.

see above…
 
> Holger, do you take care of the upload to unstable yourself?

yes

> Probably
> there a straightforward patch (without too much new code) would be good
> as well, to simplify/speed up the transition to Stretch.

I rather hope that 2.0.31 will be suitable for this ;-)


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #79 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Sat, 25 Feb 2017 17:11:56 +0100

[Message part 1 (text/plain, inline)]

Hi Holger, hi Steve,

first thanks for Steve to patching munin 2.0 upstream:
https://github.com/munin-monitoring/munin/commit/42ce18f24d3eae8be33526a198bf21e4f2330230

Am 24.02.2017 um 21:30 schrieb Holger Levsen:
> On Fri, Feb 24, 2017 at 09:00:00PM +0100, Jonas Meurer wrote:
>> I already prepared 2.0.6-4+deb7u3 with Thomaž' patch for
>> wheezy-security.
> 
> thanks for this, though maybe the patch from 2.0.31 will be better?
> 
> (once 2.0.31 is released which Steve planned to do today…)

Indeed, Steve's upstream fix is way less intrusive than I expected. So I
just uploaded muin 2.0.6+deb7u3 with his patch applied to wheezy-security.

Holger, do you also take care of munin 2.0.29-1~bpo8+1 from
jessie-backports?

Cheers,
 jonas

[signature.asc (application/pgp-signature, attachment)]

Message #84 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Jonas Meurer <jonas@freesources.org>, Salvatore Bonaccorso <carnil@debian.org>

Cc: 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Sat, 25 Feb 2017 16:36:07 +0000

[Message part 1 (text/plain, inline)]

On Sat, Feb 25, 2017 at 05:11:56PM +0100, Jonas Meurer wrote:
> first thanks for Steve to patching munin 2.0 upstream:
> https://github.com/munin-monitoring/munin/commit/42ce18f24d3eae8be33526a198bf21e4f2330230

indeed!
 
> Indeed, Steve's upstream fix is way less intrusive than I expected. So I
> just uploaded muin 2.0.6+deb7u3 with his patch applied to wheezy-security.

cool!
 
> Holger, do you also take care of munin 2.0.29-1~bpo8+1 from
> jessie-backports?

I plan to first fix unstable (within the next 1-2h), then ask the release team
to unblock it and reduce its migration time to two days and then upload
2.0.31-1~bpo8+1 to jessie-bpo.

Salvatore, will you take care of fixing 2.0.25-1 in jessie? Once that is out,
I can upload that as ~bpo7+1 to wheezy-bpo…


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #89 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: Jonas Meurer <jonas@freesources.org>, 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Sat, 25 Feb 2017 19:49:13 +0100

Hi Holger,

On Sat, Feb 25, 2017 at 04:36:07PM +0000, Holger Levsen wrote:
> Salvatore, will you take care of fixing 2.0.25-1 in jessie? Once that is out,
> I can upload that as ~bpo7+1 to wheezy-bpo…

Yes, I will (and have already prepared the package), but need to
release the DSA yet.

Btw, can you import the dsc in a debian-jessie branch in git once
released? I tried to build from git, but apparently there was a change
not represented, and I could not build from git a proper package with
a clean debdiff as I have taking the source package from the archive
and applying my changes. Not sure if I used the packaging layout
wrong. So if you can just import the dsc once released, and have a
look that would be awesome! It is most-likey just me doing something
wrong with the packaging repo.

Regards,
Salvatore

Message #96 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Jonas Meurer <jonas@freesources.org>, 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Sat, 25 Feb 2017 19:29:47 +0000

[Message part 1 (text/plain, inline)]

On Sat, Feb 25, 2017 at 07:49:13PM +0100, Salvatore Bonaccorso wrote:
> Yes, I will (and have already prepared the package), but need to
> release the DSA yet.

uhm, why not? I dont understand…

+when do you plan to release the DSA? The DLA already has been released.

(and for sid I'm waiting for a 2.0.31 tarball… the git tag is there…)
 
> Btw, can you import the dsc in a debian-jessie branch in git once
> released?

sure

 I tried to build from git, but apparently there was a change
> not represented, and I could not build from git a proper package with
> a clean debdiff as I have taking the source package from the archive
> and applying my changes. Not sure if I used the packaging layout
> wrong.

I think it's just the RELEASE file which needs to be removed from git there.
(It's gone from master…)

> So if you can just import the dsc once released, and have a
> look that would be awesome! It is most-likey just me doing something
> wrong with the packaging repo.

will do, please ping me once you uploaded in case I'll forget.

-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #101 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: Jonas Meurer <jonas@freesources.org>, 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Sat, 25 Feb 2017 21:48:35 +0100

Hi Holger,

On Sat, Feb 25, 2017 at 07:29:47PM +0000, Holger Levsen wrote:
> On Sat, Feb 25, 2017 at 07:49:13PM +0100, Salvatore Bonaccorso wrote:
> > Yes, I will (and have already prepared the package), but need to
> > release the DSA yet.
> 
> uhm, why not? I dont understand…

Well, basically because I was not sitting the whole time in front of
my laptop ;-)

It is out now as DSA-3794-1.

> +when do you plan to release the DSA? The DLA already has been released.

Done.

> (and for sid I'm waiting for a 2.0.31 tarball… the git tag is there…)

Cool thanks for working on 2.0.31-1!

> > Btw, can you import the dsc in a debian-jessie branch in git once
> > released?
> 
> sure
> 
>  I tried to build from git, but apparently there was a change
> > not represented, and I could not build from git a proper package with
> > a clean debdiff as I have taking the source package from the archive
> > and applying my changes. Not sure if I used the packaging layout
> > wrong.
> 
> I think it's just the RELEASE file which needs to be removed from git there.
> (It's gone from master…)

Yes exactly, it was about the RELEASE file indeed.

> > So if you can just import the dsc once released, and have a
> > look that would be awesome! It is most-likey just me doing something
> > wrong with the packaging repo.
> 
> will do, please ping me once you uploaded in case I'll forget.

*ping*. Thanks a lot for handling it.

Regards,
Salvatore

Message #106 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Jonas Meurer <jonas@freesources.org>, 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Sat, 25 Feb 2017 22:57:57 +0000

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On Sat, Feb 25, 2017 at 09:48:35PM +0100, Salvatore Bonaccorso wrote:
> Well, basically because I was not sitting the whole time in front of
> my laptop ;-)

ah, that makes perfect sense! :)
 
> It is out now as DSA-3794-1.

cool, thanks!

> Cool thanks for working on 2.0.31-1!

just now uploaded to sid!
 
> > I think it's just the RELEASE file which needs to be removed from git there.
> > (It's gone from master…)
> Yes exactly, it was about the RELEASE file indeed.

ah, sigh…
 
> > will do, please ping me once you uploaded in case I'll forget. 
> *ping*. Thanks a lot for handling it.

will import in a moment, together with the wheezy-lts upload.

Thanks all!


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #111 received at 855705-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 855705-close@bugs.debian.org

Subject: Bug#855705: fixed in munin 2.0.25-1+deb8u1

Date: Sat, 25 Feb 2017 23:04:51 +0000

Source: munin
Source-Version: 2.0.25-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 855705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Feb 2017 17:20:04 +0100
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: all source
Version: 2.0.25-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 855705
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Changes:
 munin (2.0.25-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix wrong parameter expansion in CGI (CVE-2017-6188)
     Fixes local file write vulnerability when CGI graphs are enabled.
     Setting multiple upper_limit GET parameters allows overwriting any file
     accessible to the user running the CGI script.
     Thanks to Tomaž Šolc <tomaz.solc@tablix.org> (Closes: #855705)
Checksums-Sha1: 
 105a52cf8a050e103254ad668e2eb1c72eaf6e89 2667 munin_2.0.25-1+deb8u1.dsc
 0f912632fd756fcb619b1910d9d720fc845da085 1337586 munin_2.0.25.orig.tar.gz
 5948562f73e368f1a5f7a9bef702f5783de710f9 61840 munin_2.0.25-1+deb8u1.debian.tar.xz
 70952ecda2c17f61af11acf5993a35984ca69e6e 131592 munin-node_2.0.25-1+deb8u1_all.deb
 8e41f94eeecda49effac26cae43369af9754d326 242304 munin-plugins-core_2.0.25-1+deb8u1_all.deb
 6b0e66b117bac9059501bab2cc53f5ec776f40e3 146536 munin-plugins-extra_2.0.25-1+deb8u1_all.deb
 5147da300be619b2d08d40782b56a2490174ce09 155664 munin-plugins-java_2.0.25-1+deb8u1_all.deb
 fc0df1af44743212329b6a6a25df0bb5ea580314 191238 munin_2.0.25-1+deb8u1_all.deb
 75c195f154bbcbb478ff083841ff40284b488171 103026 munin-common_2.0.25-1+deb8u1_all.deb
 add4c9bb4a7900d73a2b3b0ccef7ae43e60a7263 96070 munin-async_2.0.25-1+deb8u1_all.deb
 5d7aa9250de73e8bed033c64308c9530a45c3faa 223390 munin-doc_2.0.25-1+deb8u1_all.deb
Checksums-Sha256: 
 3fb1ffc91a2766a33a9bb41f376199eb88a09e181b20fbf608759b34eb7023a8 2667 munin_2.0.25-1+deb8u1.dsc
 6832bc5839d03639e4309178d9370697fc8a80a83d9b6653953f40161e949694 1337586 munin_2.0.25.orig.tar.gz
 fe2f2328dae34f2fb1d5b5c718e204decb9b86895d56c391ae7682d9b6ab4300 61840 munin_2.0.25-1+deb8u1.debian.tar.xz
 252ab2c42ec405b91c4cc154245246d34ccd41fa159871f5495f5b2ca587d56f 131592 munin-node_2.0.25-1+deb8u1_all.deb
 c1b5dd7d8f35f85f1deab84cab9cc56301c47bd68cc53912472d47bb4e2a1353 242304 munin-plugins-core_2.0.25-1+deb8u1_all.deb
 8e2cd5cbd397f462ecad8a551ea1c87174783e11dd27d431a345a647435f1399 146536 munin-plugins-extra_2.0.25-1+deb8u1_all.deb
 13c6fe81f97c67d82e936fe56f4ff4f04a924e62d07fa3a08bf47321737ee5ca 155664 munin-plugins-java_2.0.25-1+deb8u1_all.deb
 a067644c9db29f00eb2bb78df867f9085ffe8c0e4bf4a00cdce89b3b6a70d202 191238 munin_2.0.25-1+deb8u1_all.deb
 dd7ef41b5c35ce16865265fac1e456555a1c40bb63170fe9c550394142ad8319 103026 munin-common_2.0.25-1+deb8u1_all.deb
 e0faa7ae7c435e5b46b3a82b83712bdc4bdebd84f1fdd35b168b755777da7271 96070 munin-async_2.0.25-1+deb8u1_all.deb
 87e2f61ce53c96f8eadc7a5f66f502b82f0c6922847225c558f79305b396d681 223390 munin-doc_2.0.25-1+deb8u1_all.deb
Files: 
 bed99044610d0b847c6b4f6c1bdf8dc0 2667 net optional munin_2.0.25-1+deb8u1.dsc
 b418a667ce42665557329a7ac3bd1b93 1337586 net optional munin_2.0.25.orig.tar.gz
 ea51f4ffc25bc26a9dc54c47769ecadd 61840 net optional munin_2.0.25-1+deb8u1.debian.tar.xz
 8d0c9ca5b893e1846e7990c327987737 131592 net optional munin-node_2.0.25-1+deb8u1_all.deb
 60b9d3627490dfb772ba2709fd14ebd5 242304 net optional munin-plugins-core_2.0.25-1+deb8u1_all.deb
 21d39378468e0264f059e0fc0ed49b8a 146536 net optional munin-plugins-extra_2.0.25-1+deb8u1_all.deb
 9906b8a9bd6b789dd0bef8e2ca93d7d1 155664 net optional munin-plugins-java_2.0.25-1+deb8u1_all.deb
 6f9312b73c1b2b0799f5e16d33bb356f 191238 net optional munin_2.0.25-1+deb8u1_all.deb
 95135c49b68549a4eec778e963decd38 103026 net optional munin-common_2.0.25-1+deb8u1_all.deb
 f24404160265bb4b1fd8ca3b85675698 96070 net optional munin-async_2.0.25-1+deb8u1_all.deb
 09175e71cdf0e89c1fa50948af25ff77 223390 doc optional munin-doc_2.0.25-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlixsh9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Edm8QAIu/xvf3z/P07/74ngEG8D5kyMwAHbEn
4ORpqnngTu9KSA3F2+52+wUhGC8t+To1r7Nprnwk7XwD/swvUSs3MMJHOOMk+DcO
G1M/Glv1PF026IikbTfnFybxcbBukSXRxkswzLvNFcbclxj6uJZSPFKGpNQQcyc4
N1skngyCs0+aIuEmIvhiBHpaKO4VoAaGUIhK3TRbiDWL1/ElyHvyidrgvCoj9Rmc
yjaSU+CQfPH2yzkQk4Udv4AP4MLXE+q/H7h/kFG5OQghXIEbVmibdRt/KXKK+Y+w
XzimiWVPH3gP6ksHW+VBKSBYQu2vRwoYFUteRtIP0HKR2RsoKv5KKLlNh7x5ehKo
USg/AeZC+Wa/Fz3nede9/UudhYWiRlU9dwkPOM1pSmcPr33CaJBV6SvG5K4zMW8D
PqkJr4oMCDjGjwjWejA5wGHXVC0drOuyvbAZPKcR0PbdOvtPADLaF6o6lBbqJ1md
YdNAhIq93aA9G5NU+e7BQlAzu6FzlUuYy+NnMHmzuMKQgVQDqfaEAb59W2kcJZ7Q
ZKte6zGQAkcXqLt9tSsB72pBPvdB4wxoL/ZnAfqEx1oT44OkbFDFZyoB7Fs16TWM
8AZwSomiJUqLEF43SiQ5XWZyNmOvpXh/9hrE+9osLScG6I9QCIMlSKvGKgGMhT45
O4YHrcKDZDXc
=zO7C
-----END PGP SIGNATURE-----

Message #116 received at 855705-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 855705-close@bugs.debian.org

Subject: Bug#855705: fixed in munin 2.0.31-1

Date: Sat, 25 Feb 2017 23:18:33 +0000

Source: munin
Source-Version: 2.0.31-1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 855705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Feb 2017 23:24:27 +0100
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source
Version: 2.0.31-1
Distribution: unstable
Urgency: medium
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description:
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 855705
Changes:
 munin (2.0.31-1) unstable; urgency=medium
 .
   * New upstream release, fixing CVE-2017-6188. (Closes: #855705)
Checksums-Sha1:
 0cadffbeda27543e71343274fbff4c24c6e57f4f 2484 munin_2.0.31-1.dsc
 a68fa07404ec2e60071c21e99e62630122265d4e 1342329 munin_2.0.31.orig.tar.gz
 f199629dfd1e0aa20d9defffb0bfea851b669563 61304 munin_2.0.31-1.debian.tar.xz
 f8475221e24e6c0ee1e6f2f837fa4123f6c96a0c 4276 munin_2.0.31-1_source.buildinfo
Checksums-Sha256:
 84ef1744098aa75a1fe66692aa7450fb5fa97db20c686e7fb2b337f03d8ace3f 2484 munin_2.0.31-1.dsc
 819f8ba22c685ac5734ca0fd3f99f697b0f982b32e434ea4d53f6ac5336f0ec6 1342329 munin_2.0.31.orig.tar.gz
 6363c6212a95af17b95fa09765df0af0a6790a4f1807e7a952e71bc6140b0e01 61304 munin_2.0.31-1.debian.tar.xz
 8b51b58b9dc4fd258e91db1f61946fd75256994c2ae6e6f493c4554adc5e2223 4276 munin_2.0.31-1_source.buildinfo
Files:
 5862563963b388148a1a9552f40f7da6 2484 net optional munin_2.0.31-1.dsc
 05320a1cfcc0ca347309e89e6c16ee62 1342329 net optional munin_2.0.31.orig.tar.gz
 bab8aa16dd4b9960f5941c9d7587fbc9 61304 net optional munin_2.0.31-1.debian.tar.xz
 7cd5a42d8e0b94611c63ee44e0d90271 4276 net optional munin_2.0.31-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWLILiAkauFYGmqocAQoT3w/6Az+cWPPg1Ki8p/EDN8z6dA3hw23O2FuF
1HSYqV+RrvBtV2oP8uYmJ9D0Pozs/iOanQwje+3nMVGqcex3UkzkR6nQZoKvwOeO
JQJn83cDBvI0NeT/HWrn8ym+SORZkoZeFtNItQiFALdaUM6XtAmr9Y59AvRljPzs
1YThwyG7WJ3IQKLNm45UyEqLQYcsXWiBrxfq66ip98mQAYwxqSDLKVIxLjG5Lajv
BF+4HqG7jygFSdu/e7voGjuObCbG/0MaLgw7wK+hYoTnmsKuAqzrEHJZVrwzCDlT
toblB+0GwaK3zksvJAML8FMhfZ7EVLXg4k39TnTzmEfHxjTcaztHq9MDQNZJTKeq
nUFxCOQ/QxAkxV8TXjhcpwczWDWAYlOQpKHSebWH0c7jmT1dnUuBzG6A+5HWtZ2e
fU+VavN+51Bb2ZMSjbM9rUQx0tpG1kvaXmb7GUgWTzu8Z+pydMblAu/8s4u9mq/d
9UugUHaGyS8YIRhOLbvV2KoLPqUE3eEp1xi5FgnQ/kVpT9JLocBttxuSgfBIh79H
00CHtAIur6LjIDdes+llRHWetam3rAdeMKJN18xdmOsDwAWm0fRYBHxwwXg7C59y
+jbRzUSIBQF4HRTBf5t3LFU3UcfmXTExMnhhLYOzpXd1aLet7/tY+sDWuFPfvTM/
IFSqiT4lJA8=
=Ib0Y
-----END PGP SIGNATURE-----

Message #121 received at 855705@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Jonas Meurer <jonas@freesources.org>, 855705@bugs.debian.org, Steve Schnepp <steve.schnepp@munin-monitoring.org>

Subject: Re: [munin-monitoring/munin] munin-cgi-graph CGI::param security problem (#721)

Date: Sun, 26 Feb 2017 00:14:17 +0000

[Message part 1 (text/plain, inline)]

On Sat, Feb 25, 2017 at 10:57:57PM +0000, Holger Levsen wrote:
> will import in a moment, together with the wheezy-lts upload.

I've now done the imports of the wheezy-lts and jessie-security uploads into
git (as signed tags) and also uploaded 2.0.31-1 to sid. Will ask for stretch
unblock and aging for faster migration tomorrow, and once that has happened
I'll take care of backports too.

Thanks again to everyone involved!


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.