monit: CVE-2019-11454 CVE-2019-11455

Debian Bug report logs - #927775
monit: CVE-2019-11454 CVE-2019-11455

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: monit: CVE-2019-11454 CVE-2019-11455

Date: Tue, 23 Apr 2019 06:53:03 +0200

Source: monit
Version: 1:5.25.2-3
Severity: important
Tags: security upstream
Control: found -1 1:5.20.0-6

Hi,

The following vulnerabilities were published for monit.

CVE-2019-11454[0]:
| Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
| Monit before 5.25.3 allows a remote unauthenticated attacker to
| introduce arbitrary JavaScript via manipulation of an unsanitized user
| field of the Authorization header for HTTP Basic Authentication, which
| is mishandled during an _viewlog operation.


CVE-2019-11455[1]:
| A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit
| before 5.25.3 allows a remote authenticated attacker to retrieve the
| contents of adjacent memory via manipulation of GET or POST
| parameters. The attacker can also cause a denial of service
| (application outage).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11454
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11454
[1] https://security-tracker.debian.org/tracker/CVE-2019-11455
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11455

Regards,
Salvatore

Message #14 received at 927775-close@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: 927775-close@bugs.debian.org

Subject: Bug#927775: fixed in monit 1:5.25.3-1

Date: Mon, 03 Jun 2019 22:18:46 +0000

Source: monit
Source-Version: 1:5.25.3-1

We believe that the bug you reported is fixed in the latest version of
monit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergey B Kirpichev <skirpichev@gmail.com> (supplier of updated monit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 04 Jun 2019 00:35:25 +0300
Source: monit
Binary: monit monit-dbgsym
Architecture: source amd64
Version: 1:5.25.3-1
Distribution: unstable
Urgency: medium
Maintainer: Sergey B Kirpichev <skirpichev@gmail.com>
Changed-By: Sergey B Kirpichev <skirpichev@gmail.com>
Description:
 monit      - utility for monitoring and managing daemons or similar programs
Closes: 927775
Changes:
 monit (1:5.25.3-1) unstable; urgency=medium
 .
   * New upstream version 5.25.3.  Closes: #927775 (CVE-2019-11454
     and CVE-2019-11455).
   * Refresh patches
Checksums-Sha1:
 8c289f49665f4c2e06fce1619e533535fa8e1759 1895 monit_5.25.3-1.dsc
 e4a70bf5f0f9ef6d050b73a2f6dc1585fce10cd0 1355925 monit_5.25.3.orig.tar.gz
 d7d7ccf8e07093e0823123ec523d876e78d313eb 29764 monit_5.25.3-1.debian.tar.xz
 1dc62995a0a6b2f90a3e0ae1c27b74a3a1f32d92 849684 monit-dbgsym_5.25.3-1_amd64.deb
 45c98f555875ea0ef8fe631bc30ee0abb4f7642b 6187 monit_5.25.3-1_amd64.buildinfo
 76d094cfd38f05f436433474991e3be63edd0640 328132 monit_5.25.3-1_amd64.deb
Checksums-Sha256:
 4a956f91735bd7756038b9c509f49eebea76f93fc35e651c0fbaaab850be16c7 1895 monit_5.25.3-1.dsc
 c10258c8839d20864d30390e7cbf2ff5e0480a67a6fb80c02aa457d6e3390569 1355925 monit_5.25.3.orig.tar.gz
 6addc7a8ee6def2fc6c4f0b9813a23f973741c83d6df8704d476de81685f37c6 29764 monit_5.25.3-1.debian.tar.xz
 86a26a8ebae87163efc0ff1fa9fcff3477529b99a93f366877fc4c652a2f476f 849684 monit-dbgsym_5.25.3-1_amd64.deb
 63d6b6ae02fe5161586160c2243e18dc002275c6c90c7d7e808eda9a6eb5da18 6187 monit_5.25.3-1_amd64.buildinfo
 3f0db91a331041ed5ff2d4660339539c7bbd3fdf2d6c2b83d984db187203299a 328132 monit_5.25.3-1_amd64.deb
Files:
 970ab39727db140db675c24b4d3a6bd8 1895 admin optional monit_5.25.3-1.dsc
 8d91f6e756cca42450ab0815b3086d5b 1355925 admin optional monit_5.25.3.orig.tar.gz
 9609012e7897c224969a75817123de8a 29764 admin optional monit_5.25.3-1.debian.tar.xz
 a8026c3c573067b4ab6d104589ffeaf1 849684 debug optional monit-dbgsym_5.25.3-1_amd64.deb
 75f00a26a35a3f0ea0a378e767746598 6187 admin optional monit_5.25.3-1_amd64.buildinfo
 c73fed2b87b38d611bd876b75e9c2c7a 328132 admin optional monit_5.25.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE22Z64ufHku9jdO/fOcmgtkAmKvAFAlz1l9gACgkQOcmgtkAm
KvAKWQ//TCzZHq0/bMxzTCRNcnkzmkSSDOOiiy2F/EDvkRII/Xe0SBcRg29w8uB4
s7Zr5wjqRS1GNjkT1xAdMgrK7HafWHVWrAI0opmW2SWheMK5pFHEI8zgIBakvnZB
erJuGL2LlDNxFXav5S+bmGtY/ACcTGFCEcHHbKz0sXbscwTuA79Vw763z66l6Wkw
peHY0mUXrW4a8pA8aa1eLKQfSaiwQsslORXcURi99vEvhJIw3Js/5g8Q7yNpjG/x
Hh9F1XKx5dguynjpuq0X9ozGdpIYlnq/co+VmpYwp1F3xgEGcw/5iuQfSO/spGQ7
XguDJOCP/pciLuVTdK1iU11yGOHT5gJCKD6bIXo3n7Av+zjUbCMxGtralrYp0RZ0
pCv03x75xbkGOMvnsrIey0Ws1JqNA7dPnzNczHdK/Ebr+iA2yeWrgVaps0LIqgAU
DfmTGxonBQlQL6xpVz/NIC5A4yvAdRoFA0BVYoZMPBOMTZtL405TqbzOjagJWj3Y
1MVikY/i2QOklBuO4A1q+E+KtOmUt3zjWu+gkW2fnemHjcxC0DTMfcTJ2DpuYzS1
1HMI4yMEO8p48t1Zpk825u69evEbh5AJdn+YN0f7EvrdO8CAXnBhkY+J2NvrgSMF
hqGOzZMayVKw4ra9diE3CgP/mBthKpsTf9ZHBXxCE9PnlAPM6Z0=
=tx2+
-----END PGP SIGNATURE-----

Message #17 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: 927775@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: monit: CVE-2019-11454 CVE-2019-11455

Date: Tue, 4 Jun 2019 08:00:43 +0300

On Tue, 23 Apr 2019 06:53:03 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> CVE-2019-11454[0]:
> | Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
> | Monit before 5.25.3 allows a remote unauthenticated attacker to
> | introduce arbitrary JavaScript via manipulation of an unsanitized user
> | field of the Authorization header for HTTP Basic Authentication, which
> | is mishandled during an _viewlog operation.
> 
> 
> CVE-2019-11455[1]:
> | A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit
> | before 5.25.3 allows a remote authenticated attacker to retrieve the
> | contents of adjacent memory via manipulation of GET or POST
> | parameters. The attacker can also cause a denial of service
> | (application outage).

Why severity "grave"?  Seems wrong accordingly to the
description in https://www.debian.org/Bugs/Developer#severities.

Message #20 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: 927775@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: monit: CVE-2019-11454 CVE-2019-11455

Date: Sun, 9 Jun 2019 10:59:06 +0300

severity 927775 important
thanks

No reasons, so revert back severity.

On Tue, 4 Jun 2019 08:00:43 +0300 Sergey B Kirpichev <skirpichev@gmail.com> wrote:
> On Tue, 23 Apr 2019 06:53:03 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > CVE-2019-11454[0]:
> > | Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
> > | Monit before 5.25.3 allows a remote unauthenticated attacker to
> > | introduce arbitrary JavaScript via manipulation of an unsanitized user
> > | field of the Authorization header for HTTP Basic Authentication, which
> > | is mishandled during an _viewlog operation.
> > 
> > 
> > CVE-2019-11455[1]:
> > | A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit
> > | before 5.25.3 allows a remote authenticated attacker to retrieve the
> > | contents of adjacent memory via manipulation of GET or POST
> > | parameters. The attacker can also cause a denial of service
> > | (application outage).
> 
> Why severity "grave"?  Seems wrong accordingly to the
> description in https://www.debian.org/Bugs/Developer#severities.
> 
> 

Message #27 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: skirpichev@gmail.com, 927775@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#927775: monit: CVE-2019-11454 CVE-2019-11455

Date: Sun, 9 Jun 2019 12:08:21 +0200

Hi Sergey,

On Sun, Jun 09, 2019 at 10:59:06AM +0300, Sergey B Kirpichev wrote:
> severity 927775 important
> thanks
> 
> No reasons, so revert back severity.

This is from my point of view not okay, and I will try to explain, why
I think so.

I filled the bug on 2019-04-23 with severity important for two issues
of src:monit which got already upsteam fixes back then. See
security-tracker references for fixing commits.

The bug remained unaswered and buster is getting more and more into
shape for beeing released.

After some time passed, on 2019-06-03, another Debian security team
member (Moritz Muehlenhoff <jmm@debian.org>) raised the severity to a
release critical value.  The issue should be fixed for buster itself,
withouth that we need to release buster with those two CVE open for
monit from the beginning.

After this severity raise, though on the same date, a new upstream
version (5.25.3) was uploaded, while we are since a while in deep
freeze in preparation of buster. See [1] to see what is acceptable
from Release Team point of view at this point. While exceptions are
done on case to case basis. The changes between the two releases
contain more than only those two fixes.

Why was this uploaded as new upstream version in the first place
during the deep freeze and not via targeted fixes?

Could you please work out with the Release team via an unblock request
if they would wave through the version or a sheduled a targeted fix
via testing-proposed-updates?

Regards,
Salvatore

 [1] https://release.debian.org/buster/freeze_policy.html

Message #30 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 927775@bugs.debian.org

Subject: Re: Bug#927775: monit: CVE-2019-11454 CVE-2019-11455

Date: Sun, 9 Jun 2019 13:14:57 +0300

On Sun, Jun 09, 2019 at 12:08:21PM +0200, Salvatore Bonaccorso wrote:
> After some time passed, on 2019-06-03, another Debian security team
> member (Moritz Muehlenhoff <jmm@debian.org>) raised the severity to a
> release critical value.

For no reasons.

> Could you please work out with the Release team via an unblock request
> if they would wave through the version or a sheduled a targeted fix
> via testing-proposed-updates?

Yes, I'm planing backports for these fixes.  I don't know why this
require increase in the bug severity.

Message #35 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sergey B Kirpichev <skirpichev@gmail.com>

Cc: 927775@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#927775: monit: CVE-2019-11454 CVE-2019-11455

Date: Sun, 9 Jun 2019 13:44:18 +0200

Hi Sergey,

On Sun, Jun 09, 2019 at 01:14:57PM +0300, Sergey B Kirpichev wrote:
> On Sun, Jun 09, 2019 at 12:08:21PM +0200, Salvatore Bonaccorso wrote:
> > After some time passed, on 2019-06-03, another Debian security team
> > member (Moritz Muehlenhoff <jmm@debian.org>) raised the severity to a
> > release critical value.
> 
> For no reasons.

I gave a reason though now in my previous mail, right in the sentence
following after that.

> > Could you please work out with the Release team via an unblock request
> > if they would wave through the version or a sheduled a targeted fix
> > via testing-proposed-updates?
> 
> Yes, I'm planing backports for these fixes.  I don't know why this
> require increase in the bug severity.

Perfect, thanks! The increase in severity was done as per above, to
make sure it is marked release critical and not missed for the
release of buster.

I still do not get it why a new upstream version was uploaded to
unstable at this point in the freeze, though.

Regards,
Salvatore

Message #38 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 927775@bugs.debian.org

Subject: Re: Bug#927775: monit: CVE-2019-11454 CVE-2019-11455

Date: Mon, 10 Jun 2019 14:01:09 +0300

On Sun, Jun 09, 2019 at 01:44:18PM +0200, Salvatore Bonaccorso wrote:
> I gave a reason though now in my previous mail

I was expecting such explanation before changing in severity...

> > > Could you please work out with the Release team via an unblock request
> > > if they would wave through the version or a sheduled a targeted fix
> > > via testing-proposed-updates?
> > 
> > Yes, I'm planing backports for these fixes.  I don't know why this
> > require increase in the bug severity.
> 
> Perfect, thanks! The increase in severity was done as per above, to
> make sure it is marked release critical and not missed for the
> release of buster.
> 
> I still do not get it why a new upstream version was uploaded to
> unstable at this point in the freeze, though.

I hope, release team will unblock transition, it's a bugfix release.

Message #43 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Ivo De Decker <ivodd@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Sergey B Kirpichev <skirpichev@gmail.com>, 927775@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#927775: monit: CVE-2019-11454 CVE-2019-11455

Date: Wed, 12 Jun 2019 17:07:11 +0200

Control: severity -1 serious

Hi,

On Sun, Jun 09, 2019 at 01:44:18PM +0200, Salvatore Bonaccorso wrote:
> On Sun, Jun 09, 2019 at 01:14:57PM +0300, Sergey B Kirpichev wrote:
> > On Sun, Jun 09, 2019 at 12:08:21PM +0200, Salvatore Bonaccorso wrote:
> > > After some time passed, on 2019-06-03, another Debian security team
> > > member (Moritz Muehlenhoff <jmm@debian.org>) raised the severity to a
> > > release critical value.
> > 
> > For no reasons.
> 
> I gave a reason though now in my previous mail, right in the sentence
> following after that.
> 
> > > Could you please work out with the Release team via an unblock request
> > > if they would wave through the version or a sheduled a targeted fix
> > > via testing-proposed-updates?
> > 
> > Yes, I'm planing backports for these fixes.  I don't know why this
> > require increase in the bug severity.
> 
> Perfect, thanks! The increase in severity was done as per above, to
> make sure it is marked release critical and not missed for the
> release of buster.

As the security team considers this an issue that needs to be fixed for
buster, I'm increasing the severity. Please do not downgrade it again.

Note that the revert Paul mentioned in #930313 will need to be in unstable
before 2019-06-25 13:00 UTC. Otherwise we'll be forced to remove monit from
buster manually. See the announcement of the release timeline:

https://lists.debian.org/debian-devel-announce/2019/06/msg00003.html

Thanks,

Ivo

Message #48 received at 927775@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: 927775@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#927775: monit: CVE-2019-11454 CVE-2019-11455

Date: Mon, 17 Jun 2019 10:43:56 +0300

On Wed, 12 Jun 2019 17:07:11 +0200 Ivo De Decker <ivodd@debian.org> wrote:
> As the security team considers this an issue that needs to be fixed for
> buster, I'm increasing the severity. Please do not downgrade it again.

Thanks for "help", security team.

> Note that the revert Paul mentioned in #930313

I don't understand what exactly he mean.  I'll try to upload
targeted fix to the testing-proposed-updates.

> Otherwise we'll be forced to remove monit from
> buster manually.

I'm fine with this.

Message #53 received at 927775-close@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>

To: 927775-close@bugs.debian.org

Subject: Bug#927775: fixed in monit 1:5.25.2-3+deb10u1

Date: Mon, 17 Jun 2019 08:48:39 +0000

Source: monit
Source-Version: 1:5.25.2-3+deb10u1

We believe that the bug you reported is fixed in the latest version of
monit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergey B Kirpichev <skirpichev@gmail.com> (supplier of updated monit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Jun 2019 10:57:40 +0300
Source: monit
Binary: monit monit-dbgsym
Architecture: source amd64
Version: 1:5.25.2-3+deb10u1
Distribution: testing-proposed-updates
Urgency: medium
Maintainer: Sergey B Kirpichev <skirpichev@gmail.com>
Changed-By: Sergey B Kirpichev <skirpichev@gmail.com>
Description:
 monit      - utility for monitoring and managing daemons or similar programs
Closes: 927775
Changes:
 monit (1:5.25.2-3+deb10u1) testing-proposed-updates; urgency=medium
 .
   * Backport upstream fixes (Closes: #927775):
     + CVE-2019-11454 Persistent cross-site scripting (XSS) in http/cervlet.c
     + CVE-2019-11455 A buffer over-read in Util_urlDecode in util.c
Checksums-Sha1:
 7b71dc35a7ffc6b4d2d032741a1294713dd1b4df 1927 monit_5.25.2-3+deb10u1.dsc
 2111f220f9ffbb2ec08fb69d4bec6ea4364e3fc4 30668 monit_5.25.2-3+deb10u1.debian.tar.xz
 17f86c5c21bb6616fa24177940fad7cf86b1f96d 843700 monit-dbgsym_5.25.2-3+deb10u1_amd64.deb
 5dff475a61c372f7656fe34c63083921d80859ac 5646 monit_5.25.2-3+deb10u1_amd64.buildinfo
 85a20c108b4d5080957a85ef1e1ba4fab7f2cfda 327632 monit_5.25.2-3+deb10u1_amd64.deb
Checksums-Sha256:
 e8fabd3f89d601edf5b823199efe945c624efb33e526dff803544d10fc1925b6 1927 monit_5.25.2-3+deb10u1.dsc
 9874d8f6cca5f9a5b094b4e1e3441e0b3b7dd08555a8d6ef15b30260aed0f8a3 30668 monit_5.25.2-3+deb10u1.debian.tar.xz
 5234ef9f4c51aacffd2c52e311ab3947873c93546d2904f391e699f7b9ab888c 843700 monit-dbgsym_5.25.2-3+deb10u1_amd64.deb
 3b2d1ec88e3f0061135391cb518515413806014e28777619fd8c2c53a1efd351 5646 monit_5.25.2-3+deb10u1_amd64.buildinfo
 95a956e182d20e70471f1534ebb2de0ea6c02138e53aa4d551a1ea0e41e08d5a 327632 monit_5.25.2-3+deb10u1_amd64.deb
Files:
 1bf0f6b4f94a78fc3b76cd9a1631d694 1927 admin optional monit_5.25.2-3+deb10u1.dsc
 3b73753bafa52de32cc9d3704e00ea40 30668 admin optional monit_5.25.2-3+deb10u1.debian.tar.xz
 fb0b1435180817e34eeaafbb70a14b2f 843700 debug optional monit-dbgsym_5.25.2-3+deb10u1_amd64.deb
 059fbff6526ad1bc8986a795eafd34a0 5646 admin optional monit_5.25.2-3+deb10u1_amd64.buildinfo
 4a803d162088bf3f74184f7650ed56b0 327632 admin optional monit_5.25.2-3+deb10u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE22Z64ufHku9jdO/fOcmgtkAmKvAFAl0HT0kACgkQOcmgtkAm
KvCnvg//Squ32btS/wygAF/Cu6aYR7vDlFO9WqRqN/f38cXBKyhxSpbFtrk9RwnC
xFiHdNIaaBZI9XGRvet9blv7u3RRCj1yZ4o555M3lT0mg3nyKUToDowKAs30Ity2
H2wCPLj8z9fcaBi34xqVVwJgpHgXE3femHJbBGKvSncySaIpYIqPFnjQd/aDZf+/
GcuQ067m7DC14MqG11QQdHbT7ISVAlLS0T6Pa431gacVcyvRabNnpVGOwB8bcF8J
tp3VooY90Jco/afbFNJViLtkxKoCiAuspDTJIW4qHnRmmtDlVOij+XYmE8w+50ew
xynkrykczcRv+sddQho+nJH4gPUT2R33Dq9p5gtFI0NP00iIunqyGV94TYMhFAA9
CudeAitGg2MoudUIf0ef8s6wGqhHGzmgpVEceErmkcl1G+n+rhGPwUe9zmU9bD4p
Cn0lLnfo7PemdkgKkDtwCRf3Mj/G8VoYR8t35wJDlAxw+AocE7knJV6AyR2UEuft
wiPEpn3o9Z15+dL8A/bTnaJZBFdgOCjvUlq8zZsYmkACsmSNGuSFhPgpXr1qnLV6
CA3ODmvZrEn0l4yGhKUc8ahvQ/l1L/WH+9sQ29bqRK02Ua1bdDOrnHBEta+Fyrml
o+BKKglqmPbPuLc2IljrNvvHx+ktRZZZlgKn7O/31UpO1oPpahY=
=GrSA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.