Debian Bug report logs -
#742689
check-mk: CVE-2014-2329, CVE-2014-2330, CVE-2014-2331, CVE-2014-2332
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 26 Mar 2014 12:36:06 UTC
Severity: grave
Tags: security
Fixed in version check-mk/1.2.6p4-1
Done: Matt Taggart <taggart@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#742689; Package check-mk.
(Wed, 26 Mar 2014 12:36:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Wed, 26 Mar 2014 12:36:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: check-mk
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#742689; Package check-mk.
(Fri, 09 Jan 2015 20:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Matt Taggart <taggart@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Fri, 09 Jan 2015 20:12:05 GMT) (full text, mbox, link).
Message #10 received at 742689@bugs.debian.org (full text, mbox, reply):
I am looking at the CVEs in #742689.
The URL listed
http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt
lists 7 problems, but claims that upstream 1.2.2p3 (in sid) fixed 5
of them. The remaining 2 are:
5) Missing CSRF (Cross-Site Request Forgery) token allows execution
of arbitrary commands (CVE-2014-2330)
6) Multiple use of exec-like function calls which allow arbitrary
commands (CVE-2014-2331)
These CVE numbers appear to be reserved, but I can't find any details
other than the brief mention in
http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt
Most of the links on
https://security-tracker.debian.org/tracker/CVE-2014-2330
https://security-tracker.debian.org/tracker/CVE-2014-2331
don't give any info, the RedHat link is for the full set of things and
it's not clear to me if they fixed these explicitly. Maybe the brief
descriptions on the packetstormsecurity will be enough for someone
on the security team to determine if there is anything to be done.
Thanks,
--
Matt Taggart
taggart@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#742689; Package check-mk.
(Fri, 13 Mar 2015 22:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Potter, Tim (Cloud Services)" <timothy.potter@hp.com>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Fri, 13 Mar 2015 22:45:05 GMT) (full text, mbox, link).
Message #15 received at 742689@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, 09 Jan 2015 12:09:46 -0800 Matt Taggart <taggart@debian.org> wrote:
> Most of the links on
> https://security-tracker.debian.org/tracker/CVE-2014-2330
> https://security-tracker.debian.org/tracker/CVE-2014-2331
>
> don't give any info, the RedHat link is for the full set of things and
> it's not clear to me if they fixed these explicitly. Maybe the brief
> descriptions on the packetstormsecurity will be enough for someone
> on the security team to determine if there is anything to be done.
Hi Matt. The RedHat link has since been updated to say that CVE-2014-2330 and CVE-2014-2331 are cross-site scripting issues and are fixed in versions 1.2.2p3 and 1.2.3i5.
Tim.
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#742689; Package check-mk.
(Mon, 27 Apr 2015 23:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam McLeod <smj@fastmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Mon, 27 Apr 2015 23:42:05 GMT) (full text, mbox, link).
Message #20 received at 742689@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Disappointing to see Jessie was released with the check-mk package
missing. This is the third package I've found to be missing since Jessie
was released - I get the feeling the release was perhaps rushed?
Anyway, grievances aside - is there any progress with getting this
packaged for backports?
--
Sam McLeod
[Message part 2 (text/html, inline)]
Reply sent
to Matt Taggart <taggart@debian.org>:
You have taken responsibility.
(Wed, 10 Jun 2015 18:39:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 10 Jun 2015 18:39:11 GMT) (full text, mbox, link).
Message #25 received at 742689-close@bugs.debian.org (full text, mbox, reply):
Source: check-mk
Source-Version: 1.2.6p4-1
We believe that the bug you reported is fixed in the latest version of
check-mk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742689@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matt Taggart <taggart@debian.org> (supplier of updated check-mk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Jun 2015 11:10:32 -0700
Source: check-mk
Binary: check-mk-agent check-mk-agent-logwatch check-mk-server check-mk-config-icinga check-mk-config-nagios3 check-mk-livestatus check-mk-multisite check-mk-doc
Architecture: source amd64 all
Version: 1.2.6p4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Matt Taggart <taggart@debian.org>
Description:
check-mk-agent - general purpose nagios-plugin for retrieving data
check-mk-agent-logwatch - general purpose nagios-plugin for retrieving data
check-mk-config-icinga - general purpose nagios-plugin for retrieving data
check-mk-config-nagios3 - general purpose nagios-plugin for retrieving data
check-mk-doc - general purpose nagios-plugin for retrieving data (documentation)
check-mk-livestatus - general purpose nagios-plugin for retrieving data
check-mk-multisite - general purpose nagios-plugin for retrieving data
check-mk-server - general purpose nagios-plugin for retrieving data
Closes: 738987 739092 742689 778380
Changes:
check-mk (1.2.6p4-1) unstable; urgency=medium
.
[ Thomas Bechtold ]
* New upstream release (Closes: #738987).
* debian/defaults.*: Use correct check-mk version.
* debian/control:
- Add myself to Uploaders field.
- Remove Sven Velt from Uploaders field (Closes: #739092).
.
[ Ilya Rassadin ]
* New upstream release (Closes: #778380).
* debian/defaults.*: Use correct check-mk version.
* debian/control: Add myself to Uploaders field.
* debian/check-mk-server.install: Add path for flexible notifications
* debian/check-mk-server.postinst: Add path for flexible notifications
.
[ Matt Taggart ]
* Confirmed that CVE-2014-2329, CVE-2014-2330, CVE-2014-2331,
CVE-2014-2332 are fixed in upstream as of 1.2.3i5 (Closes: #742689).
* New upstream release (Closes: #778380).
* upstream forgot to include waitmax.c in their "source" tarball,
provide it in the source package for now
* logwatch.cfg example changed location upstream, adjust
check_mk_agent_logwatch.{example,install}
* regenerate defaults.* starting with upstream versions generated by
setup.sh and then porting forward the debian specific changes.
* regenerate apache.* starting with upstream versions generated by
setup.sh and then porting forward the debian specific changes.
Disable multisite automation.py and run_cron.py services by default.
Checksums-Sha1:
9193f9d0f38f8b220fc2f46e222e16b8f6fb69d4 2486 check-mk_1.2.6p4-1.dsc
50241e00d0961b3d3197db9f34f662f84afa4ee0 8034644 check-mk_1.2.6p4.orig.tar.gz
5141a2afaf21ee377af7f0f38f318502f79e6e35 12659 check-mk_1.2.6p4-1.diff.gz
c5685a5ad6b73e7a87c4cc5fd4d893b16ebec2c5 136490 check-mk-agent-logwatch_1.2.6p4-1_amd64.deb
e06ced402928d7e855324f4f8d6ffa28d6b5d0a7 143650 check-mk-agent_1.2.6p4-1_amd64.deb
12494ea0c14fef82ec60cd09286126cb15e5bd54 140210 check-mk-config-icinga_1.2.6p4-1_amd64.deb
27d0de74518abdaca7ca706c8accd632c71882c3 140208 check-mk-config-nagios3_1.2.6p4-1_amd64.deb
c3ac2d48d4564b7bbe1c7010e91b6d0d2118bba8 1438122 check-mk-doc_1.2.6p4-1_all.deb
b8b03dee8bcd45362d1658ec259b0410bb6ea676 279816 check-mk-livestatus_1.2.6p4-1_amd64.deb
78996de9ca5825eea4b1b68a10228c545f913178 3436926 check-mk-multisite_1.2.6p4-1_amd64.deb
bbd9f59597bb3dac97e08e3a777c01bc0ae1b4a1 787912 check-mk-server_1.2.6p4-1_amd64.deb
Checksums-Sha256:
ad3e540855d33d208da0cbf9739c31c7c0b7cf22dddfea9c2f7a2db0f93dd24d 2486 check-mk_1.2.6p4-1.dsc
a9ba931a0ab3fcb5f4118691e305cfec7455f0d2ab10341c4303299e2f5414cd 8034644 check-mk_1.2.6p4.orig.tar.gz
2b8108a9ceda792c2b5ecc8f0de8b285643b0b3ed53b2eeb7d04f0f179cffa88 12659 check-mk_1.2.6p4-1.diff.gz
f40e13b996551b341fabda679e5fed8ca8a3749c7a215f16513ff4155ec5f7ff 136490 check-mk-agent-logwatch_1.2.6p4-1_amd64.deb
10d12404841bdaae2e7d203e2b9cddfd185f486c761b6e07124ff8a3b1a5e91b 143650 check-mk-agent_1.2.6p4-1_amd64.deb
e4747838bd313191c7e0c4684867c332916175afc83e8f52e1333713667801c4 140210 check-mk-config-icinga_1.2.6p4-1_amd64.deb
689a3e9bc491fc6a5005e3e42627b020f982eeafc9d69b351f36c0593e428fc8 140208 check-mk-config-nagios3_1.2.6p4-1_amd64.deb
6a531a16ee2bb38ac7a7fcf22f102f1e4e40f38ba7df047f6f266eb24fb9eb77 1438122 check-mk-doc_1.2.6p4-1_all.deb
c76d1cd90ae0d60438baacd1608b37d8c0c533dca06e49547fc9bd795ee285f9 279816 check-mk-livestatus_1.2.6p4-1_amd64.deb
1dc35674f2133a3b8a97548c7b4bc7e05af81204ccb13f27f2eeef5ce1abc056 3436926 check-mk-multisite_1.2.6p4-1_amd64.deb
a852bcb7972c24e855f6cccb4fbce2e80b72879a1e82aa4eedb5cbb916368098 787912 check-mk-server_1.2.6p4-1_amd64.deb
Files:
7aef3c1abf94bab5420bd5cc246e6b28 2486 admin optional check-mk_1.2.6p4-1.dsc
ac84a9307f1f82b05b3ae142c04da0fb 8034644 admin optional check-mk_1.2.6p4.orig.tar.gz
ed61a4fa47b487ce4188b07d81e0f8ae 12659 admin optional check-mk_1.2.6p4-1.diff.gz
569d808528578b3cff4d1cfc045f9410 136490 admin optional check-mk-agent-logwatch_1.2.6p4-1_amd64.deb
6bea337926949d76a43ee9a2f73d75c1 143650 admin optional check-mk-agent_1.2.6p4-1_amd64.deb
dd2edf395121b29efe7d5d4055467267 140210 admin optional check-mk-config-icinga_1.2.6p4-1_amd64.deb
2b95cdf8a80c48230e4e7fe6bee46eba 140208 admin optional check-mk-config-nagios3_1.2.6p4-1_amd64.deb
13695482441359d023fa4efa45ce5d41 1438122 doc optional check-mk-doc_1.2.6p4-1_all.deb
f6d61d16f8f20fc675b1defd740e4dfa 279816 admin optional check-mk-livestatus_1.2.6p4-1_amd64.deb
cadb2b2fe0bd5c8c6237904a0ee82283 3436926 admin optional check-mk-multisite_1.2.6p4-1_amd64.deb
35a019d1e482ed278a84c18d1ec679ff 787912 admin optional check-mk-server_1.2.6p4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVeH9aAAoJEKpo7MjpgAlTUMoQALEDvXV13cm0nQueJBvo89Tk
vOsmzUIl97pm6cAHW5RAm08cfhZo26Lw09RJ+oQZJyX0CPE9IG4E4kMOpzUZuXtv
u4Lxz56Flxk4u3bMz00e3KzjWM/smRFGU8dE9gmtqY1XtpNM2X/Tg6FS4RmESNbo
MRg9aDSd4QWM2V4vpsZlBMbOPL1cBre2Tij7sW3AabBB/keA3XySl1mBltoFCIly
unlGAIwzWG7N7VW02UTfL5mDz7NQrvbX/u9YnuVvCc1RKLMmQMB5/7MrPuhmdd1q
DToysJOwyU1k4L0281BmACh9s0Sc1U9N9JSpIcFpMR6nnByEyv+a4ypr1SkDyF76
mZbA/F2NPO6IWfaHMvYQC3UWTv8+LLg7GJ7kuQsfXYi819cS9W5BLZPC+/bTpiYx
JpQUqLNd4+nIfrcUoiSq6fUZUzvW9Lf4TJlnL3xRyCdMf9uawTVTc2ShlWKEklNm
k3Ht1j57ZLTt6av/YptyaeABm3Uydfqqw5EjG7HC+vb6EA8+d4rq+96mJn2JfTDe
T5IIkL8/vfDAgf30URKWuRKgveETxfzgSVthdWHRIDb/Fhy10SA0lE/s6ttsn2TH
XKwOOCGchz60KO1vx9QphJ5/SdtvMUq7LktIDOTd7yeVUeb4CsXwLLq/FjLemnKo
tq7ApVYYOEzBlT78/gvW
=EpE1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 06 Aug 2015 07:35:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon