check-mk: CVE-2017-9781: reflected XSS in webapi.py

Debian Bug report logs - #865497
check-mk: CVE-2017-9781: reflected XSS in webapi.py

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: check-mk: CVE-2017-9781: reflected XSS in webapi.py

Date: Thu, 22 Jun 2017 05:16:03 +0200

Source: check-mk
Version: 1.2.8p16-1
Severity: grave
Tags: patch upstream security
Justification: user security hole

Hi,

the following vulnerability was published for check-mk.

CVE-2017-9781[0]:
| A cross site scripting (XSS) vulnerability exists in Check_MK versions
| 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to
| inject arbitrary HTML or JavaScript via the _username parameter when
| attempting authentication to webapi.py, which is returned unencoded
| with content type text/html.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9781
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781

Regards,
Salvatore

Message #10 received at 865497@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Matt Taggart <taggart@debian.org>, 865497@bugs.debian.org

Cc: debian-lts@lists.debian.org

Subject: Wheezy update of check-mk?

Date: Thu, 22 Jun 2017 10:41:14 +0200

Hello Matt,

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of check-mk:
https://security-tracker.debian.org/tracker/CVE-2017-9781

Would you like to take care of this yourself?

The code in wheezy is different from the 1.4.x version which has been
patched upstream but I believe that a similar issue must exist since
I have seen no HTML escaping in any code showing errors.

That said it really depends on whether user input ends
up in the error message associated to the various exceptions
and it's hard to tell from a quick look at the code without trying.

The traceback itself seems to be output in <pre>%s</pre> but that doesn't
prevent XSS.

In any case, if you mant to handle this yourself, please follow the
workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of check-mk updates
for the LTS releases.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #15 received at 865497@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Matt Taggart <taggart@debian.org>, 865497@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Wheezy update of check-mk?

Date: Thu, 22 Jun 2017 12:10:23 -0700

Hi Raphael!

Raphael Hertzog writes:
> Hello Matt,
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of check-mk:
> https://security-tracker.debian.org/tracker/CVE-2017-9781
> 
> Would you like to take care of this yourself?
> 
> The code in wheezy is different from the 1.4.x version which has been
> patched upstream but I believe that a similar issue must exist since
> I have seen no HTML escaping in any code showing errors.

The commit message explicitly references the 1.4 branch, but I also
see that the code exists in 1.2.8p16 (buster/sid).

For buster/sid I will update to new 1.4 based upstream with the patch.

The 1.2.6p12-1 based versions in wheezy-backports-sloppy and
jessie-backports are different still, but we should push to make those
go away by getting buster fixed and backporting that to w-b-s, j-b-s,
and w-b.

I agree that the code is pretty different in 1.1.12p7-1 (wheezy). I
would appreciate help generating a patch for that that version.

> That said it really depends on whether user input ends
> up in the error message associated to the various exceptions
> and it's hard to tell from a quick look at the code without trying.
> 
> The traceback itself seems to be output in <pre>%s</pre> but that doesn't
> prevent XSS.
> 
> In any case, if you mant to handle this yourself, please follow the
> workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of check-mk updates
> for the LTS releases.

The check-mk source package is sort of weird, it uses tarballs within
the orig.tar.gz, so using a normal debian package diff, or even
patching at configure time doesn't work, it has to happen after the
install step runs setup.sh. I am happy for the LTS team to prepare the
wheezy update and I can help with testing. I will work on uploading a
fixed 1.4 version to sid in the next day.

Sound OK?

-- 
Matt Taggart
taggart@debian.org

Message #20 received at 865497-close@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 865497-close@bugs.debian.org

Subject: Bug#865497: fixed in check-mk 1.4.0p9-1

Date: Wed, 20 Sep 2017 07:00:14 +0000

Source: check-mk
Source-Version: 1.4.0p9-1

We believe that the bug you reported is fixed in the latest version of
check-mk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matt Taggart <taggart@debian.org> (supplier of updated check-mk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 22 Jun 2017 15:44:37 -0700
Source: check-mk
Binary: check-mk-agent check-mk-agent-logwatch check-mk-server check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc check-mk-common check-mk-monitoring-plugins
Architecture: source all amd64
Version: 1.4.0p9-1
Distribution: experimental
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Matt Taggart <taggart@debian.org>
Description:
 check-mk-agent - general purpose monitoring plugin for retrieving data
 check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data
 check-mk-common - general purpose monitoring plugin for retrieving data (common lib
 check-mk-config-icinga - general purpose monitoring plugin for retrieving data
 check-mk-doc - general purpose monitoring plugin for retrieving data (documentat
 check-mk-livestatus - general purpose monitoring plugin for retrieving data
 check-mk-monitoring-plugins - general purpose monitoring plugin for retrieving data (monitoring
 check-mk-multisite - general purpose monitoring plugin for retrieving data
 check-mk-server - general purpose monitoring plugin for retrieving data
Closes: 865497
Changes:
 check-mk (1.4.0p9-1) experimental; urgency=high
 .
   * new upstream release
   * fixes CVE-2017-9781 (Closes: #865497)
   * move to the way upstream now does defaults
   * add new librrd-dev, libboost-dev, libboost-system-dev, g++-6 build-deps
   * new -common package for private python libs
Checksums-Sha1:
 5c431d542e1ae9276f7959af6e9c290c8925540b 2811 check-mk_1.4.0p9-1.dsc
 00d4c64f2051e8f432d9e0df7d5d5bcf2a6a00e0 22948802 check-mk_1.4.0p9.orig.tar.gz
 4ce803f8d0a55e23c564d2e5865c26557312f7a0 13929 check-mk_1.4.0p9-1.diff.gz
 ef3997b2ce59252627f3710099a44c799ed5a878 208186 check-mk-agent-logwatch_1.4.0p9-1_all.deb
 1fe35779e21d44c24a94747691839f9f30659f5e 215670 check-mk-agent_1.4.0p9-1_amd64.deb
 327a5ec94f795a65f48e8f735b47eba6e8ad9579 238758 check-mk-common_1.4.0p9-1_all.deb
 5a89caace1dd5ff52cd75a65d218a91800cba12b 211144 check-mk-config-icinga_1.4.0p9-1_amd64.deb
 ff63b5cdfcefaeda322c336b5f582b3ef5474b1e 990782 check-mk-doc_1.4.0p9-1_all.deb
 2b333340e942a44956d05915e3ffc2b1097c33a1 90412 check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb
 78b6f1d7d6446e2fb638e428f9378fefa02b79c1 969002 check-mk-livestatus_1.4.0p9-1_amd64.deb
 ef2a2017a8aaacdc718b7a2e3e092412bb0a6b62 227060 check-mk-monitoring-plugins_1.4.0p9-1_all.deb
 cafe122bf1f9b8d147d83b693ecfcd921d42d61b 3627048 check-mk-multisite_1.4.0p9-1_amd64.deb
 57e80514a433695485b65189c827eb3388b40090 1125142 check-mk-server_1.4.0p9-1_amd64.deb
 e59a7740ed65b90b91f97e3e47edec9beac236d0 10228 check-mk_1.4.0p9-1_amd64.buildinfo
Checksums-Sha256:
 3e4f3b1ee98d9ac6dd6e69f281b3ba915021c87f8549919984c123e5f57ec624 2811 check-mk_1.4.0p9-1.dsc
 23de4ba908353badd64447683df902c472dc864e0de57177010697b1e7bfaeb6 22948802 check-mk_1.4.0p9.orig.tar.gz
 5610b15ea17335fc57be26fed7d45fd2fc073815bb4763b8b7d88336a25395a8 13929 check-mk_1.4.0p9-1.diff.gz
 b85bf8da7cf601cdd71e3a080b4c1908b7b7ddae9ec1ba7a0ed597f027b21519 208186 check-mk-agent-logwatch_1.4.0p9-1_all.deb
 4ca436fb6911c0ae3cd1c097b032b01731245238bd3ef6729f9d9f3bb8e11265 215670 check-mk-agent_1.4.0p9-1_amd64.deb
 dda04934e5b3587ffd7b4423a6f10383a44b52a116a9ac47d7145433add9ed66 238758 check-mk-common_1.4.0p9-1_all.deb
 fbedfd3d17a68660f70730c01fa33b701176e590cbc9fba9e2c5e0bfeb9c9a5d 211144 check-mk-config-icinga_1.4.0p9-1_amd64.deb
 487e8ce75885b6bc9d4c07ea9cd69617a742b0ed00a5cf676383db40900045ad 990782 check-mk-doc_1.4.0p9-1_all.deb
 10d17d5e20d2679a8a027dab5429a4c669312de7e431ddf45da702de597d514e 90412 check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb
 0870e75947bf79e2900d8773acf9d7fdf104c4f21c25e74bf7d2c0f86e44fc5c 969002 check-mk-livestatus_1.4.0p9-1_amd64.deb
 065889f7db3179b914ee0c305d1b7850677e6eacc1d628f89d18349f20c623fc 227060 check-mk-monitoring-plugins_1.4.0p9-1_all.deb
 d0bf34d5949505246f38bc5763ed5aa160c7e6180b0ab770f1ab8c2e4a0ce3b4 3627048 check-mk-multisite_1.4.0p9-1_amd64.deb
 20ce31bd6610296587b6d95e429cd6fd15b4c1d0abc42a47e4011e283ec92516 1125142 check-mk-server_1.4.0p9-1_amd64.deb
 acf5b7141a7fe28088fe41661ddacbe3c58b01bc31199e4b1153afabb15b0a5e 10228 check-mk_1.4.0p9-1_amd64.buildinfo
Files:
 8de6958ac2a10fa2589d4d68b8187284 2811 admin optional check-mk_1.4.0p9-1.dsc
 21c12bb2f2f06ab94e4592ba851e299b 22948802 admin optional check-mk_1.4.0p9.orig.tar.gz
 d2e47a13a5ca0cf8d057f382e537781a 13929 admin optional check-mk_1.4.0p9-1.diff.gz
 7cc8cdec461364db1c0104dfd211d1eb 208186 admin optional check-mk-agent-logwatch_1.4.0p9-1_all.deb
 8fb8629d782d3d66b38360925f200eb0 215670 admin optional check-mk-agent_1.4.0p9-1_amd64.deb
 f1997faec099c709e357af1d9cafb6da 238758 python optional check-mk-common_1.4.0p9-1_all.deb
 24e7af3482e0d165a408a52e8b12057f 211144 admin optional check-mk-config-icinga_1.4.0p9-1_amd64.deb
 94d123460e6769c06a552ed03425a12f 990782 doc optional check-mk-doc_1.4.0p9-1_all.deb
 94849966857a9dda6106ae628f66b9c1 90412 debug optional check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb
 9c15e6e06fdc1131218b8a2460989500 969002 admin optional check-mk-livestatus_1.4.0p9-1_amd64.deb
 dce90f396ffccf372eed12e0e0a32965 227060 net optional check-mk-monitoring-plugins_1.4.0p9-1_all.deb
 5dbd7dc70c4a1591dac02b70ded4d680 3627048 admin optional check-mk-multisite_1.4.0p9-1_amd64.deb
 2e4e81aeab3ac7e12a64579806710120 1125142 admin optional check-mk-server_1.4.0p9-1_amd64.deb
 8756d65b8ed6356af1d01a8c5a46b1ca 10228 admin optional check-mk_1.4.0p9-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEAOfLnhAhA4PS/SRZqmjsyOmACVMFAlnBiq9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDAw
RTdDQjlFMTAyMTAzODNEMkZEMjQ1OUFBNjhFQ0M4RTk4MDA5NTMACgkQqmjsyOmA
CVNLGw/9Ei5qWN7NsGp1uOX7Ql+0bevVAIrO8pfhHIs3mueNjPyKtR+u4uScouKs
472tj/wnYpJ4b4ff+O7ROEpdYihXifCgWCq7uw6LzHv/fLouOTOcFwA2JNRskU/T
5AULs77JSRpu6Cc/A5xQWcq3a+dztUAe2d8EWfKqBEWriwNGAqCiucvWCLr+Y7ru
DtPdrvYumj7vIUaQd5LXAQLXaSdi+1+8wJDNzPWzZ7GIeHA0LqrFOzxljrje4i45
flSuo6ORE0CyC0AEOJQC8CVYzvszRAsgYpK4mlxQppkmYV/nrkdNhdWTeEB0Isvx
rl1DLyJwXc6D29cmFzBDpOGqEwzNZcMApUSAuoPUklYIoxAn+e7Osi4wo7+XdoMK
/+aKGjZf+NKBMiaNPifgUHdY+WreyrBq9p0i5NNuITcGwgyB9A2+K4rDLbOJQyiR
iVwvZcxfwZAFh4jLQUmaFWUp+scL2gMedKyvpEreExxSb4yEQoFLWTy+uGNek1xP
CG3zy+o2vg0I39pYzaqBa4lvp/mKSt/YByVTrgxqvS5DWlQWDmLvrlDmvdqbl0qG
QF8MIK28bQwWDUr2q99FapYxeFc+f7Izcj3ZV6LHwUEZwk5z3cITrZTyEq/rVrAN
KhrKesu/kn5T8xicMmSDCexVo1el9rqF18LuEo86e/yL2bD6/N4=
=NT3e
-----END PGP SIGNATURE-----

Message #25 received at 865497-close@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: 865497-close@bugs.debian.org

Subject: Bug#865497: fixed in check-mk 1.2.8p26-1

Date: Fri, 06 Oct 2017 21:05:09 +0000

Source: check-mk
Source-Version: 1.2.8p26-1

We believe that the bug you reported is fixed in the latest version of
check-mk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matt Taggart <taggart@debian.org> (supplier of updated check-mk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Oct 2017 09:59:26 -0700
Source: check-mk
Binary: check-mk-agent check-mk-agent-logwatch check-mk-server check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc
Architecture: source all amd64
Version: 1.2.8p26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Matt Taggart <taggart@debian.org>
Description:
 check-mk-agent - general purpose monitoring plugin for retrieving data
 check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data
 check-mk-config-icinga - general purpose monitoring plugin for retrieving data
 check-mk-doc - general purpose monitoring plugin for retrieving data (documentat
 check-mk-livestatus - general purpose monitoring plugin for retrieving data
 check-mk-multisite - general purpose monitoring plugin for retrieving data
 check-mk-server - general purpose monitoring plugin for retrieving data
Closes: 865497
Changes:
 check-mk (1.2.8p26-1) unstable; urgency=medium
 .
   * new upstream release
   * fixes CVE-2017-9781 (Closes: #865497)
Checksums-Sha1:
 8fe875d6ab255464e4b8d416953b84e4f9277a96 2598 check-mk_1.2.8p26-1.dsc
 8140b1641cb78d0729d6006acfff3b7d407e972f 11335620 check-mk_1.2.8p26.orig.tar.gz
 345e1c91a97a48d923d52e7a8dcfba4217aa5550 11827 check-mk_1.2.8p26-1.diff.gz
 922a06c89ba6cd55664843dd8b53bfdebbde265e 189380 check-mk-agent-logwatch_1.2.8p26-1_all.deb
 a49df06b82eeaa36df0341c6f70222967b9f047b 195682 check-mk-agent_1.2.8p26-1_amd64.deb
 28c1af72164ce3f56f0f7d5c7c8c598133b5127b 192774 check-mk-config-icinga_1.2.8p26-1_amd64.deb
 e1305f2f40c3bf7dc767b3f1d78d858c7e6d3be2 1220494 check-mk-doc_1.2.8p26-1_all.deb
 8ef3ebe1da0db68e8768f59f9d60b6d661b788ee 6966 check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb
 7bbe53226062ee0799d7f76ca439aa527ed325e3 473596 check-mk-livestatus_1.2.8p26-1_amd64.deb
 382f323a3e55996b68a59992edef80736714ae2e 3528056 check-mk-multisite_1.2.8p26-1_amd64.deb
 df676140d5108de4dc37e23f7fab24f1704217c8 1072598 check-mk-server_1.2.8p26-1_amd64.deb
 f881e41c9ff069d93652e33fdc174f19b52d52cb 7963 check-mk_1.2.8p26-1_amd64.buildinfo
Checksums-Sha256:
 5192acf8e2b16a9c8e371f0864a857da84781e8e0d3e6304d624666852d170fc 2598 check-mk_1.2.8p26-1.dsc
 4e45d080fa838f75faf71e7cf7634224e055201cb8fc86b0a85274e2adc40239 11335620 check-mk_1.2.8p26.orig.tar.gz
 cf77dab5d7ab667decab6031e87bed66756156acd0be2d5e680c002be7375a45 11827 check-mk_1.2.8p26-1.diff.gz
 acfd69b30ee88b9c0fcf7e2d494e05cc93c765e6b55198de92b8b45673c264f3 189380 check-mk-agent-logwatch_1.2.8p26-1_all.deb
 eaaf48dbdf739c296868bb2f368c7d64a6b27b8ec63ac8bfdc136f14423aeddd 195682 check-mk-agent_1.2.8p26-1_amd64.deb
 4d2a9ad25ef885ea63e83f2032c3836f65fa1e18f08b8aaafe072ba39c531d2c 192774 check-mk-config-icinga_1.2.8p26-1_amd64.deb
 741b02ca56e32d28c4194730dec818b9e6412b8847894220b833e831b55ca19f 1220494 check-mk-doc_1.2.8p26-1_all.deb
 0d0b892255bed66d741228ca199f85100d436247afd7fee2fb4c30b6e721f667 6966 check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb
 0197758146a384ff3829976cd7e577f28aed88601ddf3aba9a757efcb2b71aab 473596 check-mk-livestatus_1.2.8p26-1_amd64.deb
 fa02b7f7a48810ae480fa50d5c46ce566b16e2eed5a39ab5e9d387782ed1c77d 3528056 check-mk-multisite_1.2.8p26-1_amd64.deb
 4e76dbb82bf60b667b70bca96b5ed499f7943fe66648030e05d9c5c8b816b450 1072598 check-mk-server_1.2.8p26-1_amd64.deb
 6306aeca745daf24e55b2aa984ecf65e5d4309ddc0fada8f862a6dccbc81b56e 7963 check-mk_1.2.8p26-1_amd64.buildinfo
Files:
 f22235b029e7d33fa590a537704a45ae 2598 admin optional check-mk_1.2.8p26-1.dsc
 f4f18538cfe9fbcaf43526c42d38fb2c 11335620 admin optional check-mk_1.2.8p26.orig.tar.gz
 eb85b2021b29a57a13be38ee5c54a553 11827 admin optional check-mk_1.2.8p26-1.diff.gz
 039d5b70a0c5b802f4dcf9ee6448b156 189380 admin optional check-mk-agent-logwatch_1.2.8p26-1_all.deb
 ce194baea5ddd0f12f51fa0782ff483e 195682 admin optional check-mk-agent_1.2.8p26-1_amd64.deb
 584ea4ed2a06566bc00965dd4fea9469 192774 admin optional check-mk-config-icinga_1.2.8p26-1_amd64.deb
 1b0fcb37d03a3ff818bdd96bbdde5682 1220494 doc optional check-mk-doc_1.2.8p26-1_all.deb
 cf0c3dffc0984e3df6d8888ebc379efc 6966 debug optional check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb
 60f90006507552e4e7bb521041dac479 473596 admin optional check-mk-livestatus_1.2.8p26-1_amd64.deb
 35a7c711dc17589d402514c2aace4b60 3528056 admin optional check-mk-multisite_1.2.8p26-1_amd64.deb
 7526fe4eb1d67f87ca22fbf0d065f18c 1072598 admin optional check-mk-server_1.2.8p26-1_amd64.deb
 012dd442b0d97e4f75df76331bab109b 7963 admin optional check-mk_1.2.8p26-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEAOfLnhAhA4PS/SRZqmjsyOmACVMFAlnX2UVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDAw
RTdDQjlFMTAyMTAzODNEMkZEMjQ1OUFBNjhFQ0M4RTk4MDA5NTMACgkQqmjsyOmA
CVPJHw/+JRQf4W7oOlB5kGNE7zT7IZGuBHk0g3onGvRFbT5h4D4nZIiOcCUS0vuI
/mefxPEuo19KKZk2fz4XI4vKSPWcp1htDWTGBmwBUEvyrsDKmASJwWoYRp8gsyzS
OYNUqPOcTKZbzkOxxpnVfCYt0I1gDG7NePkwloqrHh4m3CZ31pmJWJmyE+LqQzMY
HYyLEQjA3SASaQGHE4QKjx6xw65v1SuSLrTl45mb7r0a48nKM6ARqj/fCi7ANkCX
4cBlNB2IbCeNkgcwif0aZkEjGwSpBAqsxwJXGhuec2ePl8CSpcud+B9pUmzzsPdh
g4SbbLFG7xfs84kDRj1yY88L3YQgs7JnODpQOxs1OIf42xp2zUTef2pM6DsdU+YD
/ksCSS7dplomQyt2UnlyXaHyy8FvURRk77nYUeZPc4+EcO5hHMS/7/59BzzLihAc
QbiBvN7L31DoZM+A7PTohLwoHF5K+/3+hVED1W29ifkxxrGkwsGvT3Aj6VDelLTn
UuIGmU2vJSGeOjEqsrH2AC2safyTQnV6PDreKXlwhqAcWba7rxyHmubodvf94jbP
2UNkSvh4G1/uzbGUH1SdQ3mSWVUwbD9Yw49a3qSQhFnleqQ+pzahQv3rd+Yorp7R
LXE5EoRSyq7BJPtcoPM19naEG375johizZkUkcL9ChxmiVUzgkQ=
=f72p
-----END PGP SIGNATURE-----

Message #30 received at 865497@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 865497@bugs.debian.org

Cc: Matt Taggart <taggart@debian.org>

Subject: CVE-2017-9781 not yet fixed in 1.2.8p26-1?

Date: Fri, 6 Oct 2017 23:28:15 +0200

Control: notfixed -1 1.2.8p26-1

Hi!

On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the src:check-mk package:
> 
> #865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py

I looked up the source for 1.2.8p26-1.

The fix for CVE-2017-9781 is 

http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1

which does not yet seem to be applied to 1.2.8p26-1?

Can you please double-check?


Note, there is a second CVE now for check-mk, that one got addressed
in 1.2.8p26, but it's not clear yet in which version in was
introduced.

Regards,
Salvatore

Message #39 received at 865497@bugs.debian.org (full text, mbox, reply):

From: Matt Taggart <taggart@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 865497@bugs.debian.org

Subject: Re: CVE-2017-9781 not yet fixed in 1.2.8p26-1?

Date: Fri, 6 Oct 2017 15:43:38 -0700

On 10/06/2017 02:28 PM, Salvatore Bonaccorso wrote:
> Control: notfixed -1 1.2.8p26-1
> 
> Hi!
> 
> On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote:
>> This is an automatic notification regarding your Bug report
>> which was filed against the src:check-mk package:
>>
>> #865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py
> 
> I looked up the source for 1.2.8p26-1.
> 
> The fix for CVE-2017-9781 is
> 
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
> 
> which does not yet seem to be applied to 1.2.8p26-1?
> 
> Can you please double-check?
> 
> 
> Note, there is a second CVE now for check-mk, that one got addressed
> in 1.2.8p26, but it's not clear yet in which version in was
> introduced.
Hi,

You are right, the fix for CVE-2017-9781, which upstream calls "werk 
#4757" is _not_ in 1.2.8p26. I was confused with upstream #5208 when I 
wrote the changelog that closed the bug.

Upstream lists the following security related fixes for 1.2.8
==============================================================
#5208
http://mathias-kettner.com/check_mk_werks.php?werk_id=5208&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=673360408b90f99bd54cf936091cff08d979a057

#4902
http://mathias-kettner.com/check_mk_werks.php?werk_id=4902&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=96e39a0f024d9b2b521576c1eb71aca7fb3e818d

#7661 (fixed in 1.4.0p8, supposedly fixed in 1.2.8p25?)
http://mathias-kettner.com/check_mk_werks.php?werk_id=7661&HTML=yes

#7631
http://mathias-kettner.com/check_mk_werks.php?werk_id=7631&HTML=yes

#3970 (fixed in 1.2.8p14)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3970&HTML=yes

#3855 (fixed in 1.2.8p11)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3855&HTML=yes

#3743 (fixed in 1.2.8p10)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3743&HTML=yes

Full list of changes for 1.2.8p26
=================================
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8&version=1.2.8p26&HTML=yes

Full list of changes for 1.4.0p14
=================================
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.4.0&version=1.4.0p14&HTML=yes

which additionally lists

#4757 (as you mentioned above, fixed in 1.4.0p6)
http://mathias-kettner.com/check_mk_werks.php?werk_id=4757&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f549502244a60146ed6831dc3473f2a

#7643 (only in 1.4 and newer)
http://mathias-kettner.com/check_mk_werks.php?werk_id=7643&HTML=yes

So I think the Debian 1.2.8p16 package is only missing #4757.

I will ask upstream if they intend to fix #4757 in the 1.2.8 series.
Unfortunately due to how the upstream tarball/build works, it is tricky 
to patch upstream files. If upstream doesn't intend to include this fix 
I can generate a patch to make it work.

I had started working on packaging 1.4.0 as a way to fix these security 
bugs (and even did an upload to experimental) but I recently learned 
from upstream that:

"The use of Check_MK without OMD environment and customization of paths 
is explicitly not supported anymore."

ie you can't use check-mk stand-alone, you have to use OMD (and 
livestatus/WATO/multisite, the whole stack) and you have to use 
upstream's installer to upstream's paths. It's very much the "network 
appliance" model (or flatpak, docker image, etc)
I don't know if we'll be able to make this work in Debian. (not to 
mention that nagios is gone and icinga1 will go away at some point)

That prompted me to go back to 1.2.8 and package the latest release 
there in order to at least have something working without the security bugs.

-- 
Matt Taggart
taggart@debian.org

Message #44 received at 865497@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Matt Taggart <taggart@debian.org>

Cc: 865497@bugs.debian.org

Subject: Re: CVE-2017-9781 not yet fixed in 1.2.8p26-1?

Date: Sat, 7 Oct 2017 09:38:33 +0200

Hi Matt!

On Fri, Oct 06, 2017 at 03:43:38PM -0700, Matt Taggart wrote:
> On 10/06/2017 02:28 PM, Salvatore Bonaccorso wrote:
> > Control: notfixed -1 1.2.8p26-1
> >
> > Hi!
> >
> > On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which was filed against the src:check-mk package:
> > >
> > > #865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py
> >
> > I looked up the source for 1.2.8p26-1.
> >
> > The fix for CVE-2017-9781 is
> >
> > http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
> >
> > which does not yet seem to be applied to 1.2.8p26-1?
> >
> > Can you please double-check?
> >
> >
> > Note, there is a second CVE now for check-mk, that one got addressed
> > in 1.2.8p26, but it's not clear yet in which version in was
> > introduced.
> Hi,
>
> You are right, the fix for CVE-2017-9781, which upstream calls "werk #4757"
> is _not_ in 1.2.8p26. I was confused with upstream #5208 when I wrote the
> changelog that closed the bug.

Thanks for confirming!

> Upstream lists the following security related fixes for 1.2.8
> ==============================================================
> #5208
> http://mathias-kettner.com/check_mk_werks.php?werk_id=5208&HTML=yes
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=673360408b90f99bd54cf936091cff08d979a057
>
> #4902
> http://mathias-kettner.com/check_mk_werks.php?werk_id=4902&HTML=yes
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=96e39a0f024d9b2b521576c1eb71aca7fb3e818d
>
> #7661 (fixed in 1.4.0p8, supposedly fixed in 1.2.8p25?)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=7661&HTML=yes
>
> #7631
> http://mathias-kettner.com/check_mk_werks.php?werk_id=7631&HTML=yes
>
> #3970 (fixed in 1.2.8p14)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=3970&HTML=yes
>
> #3855 (fixed in 1.2.8p11)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=3855&HTML=yes
>
> #3743 (fixed in 1.2.8p10)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=3743&HTML=yes
>
> Full list of changes for 1.2.8p26
> =================================
> http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8&version=1.2.8p26&HTML=yes
>
> Full list of changes for 1.4.0p14
> =================================
> http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.4.0&version=1.4.0p14&HTML=yes
>
> which additionally lists
>
> #4757 (as you mentioned above, fixed in 1.4.0p6)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=4757&HTML=yes
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f549502244a60146ed6831dc3473f2a
>
> #7643 (only in 1.4 and newer)
> http://mathias-kettner.com/check_mk_werks.php?werk_id=7643&HTML=yes
>
> So I think the Debian 1.2.8p16 package is only missing #4757.

Ok. Do you know something about
https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes .
I twas fixed in 1.2.8p26, but I failed to see if it was introduced
*after* 1.2.8p14-1. But I will try to handle that in a seprate bug. I
tried to git clone the git repository mentioned at
http://git.mathias-kettner.de/check_mk.git but that just does not work
for me.
>
> I will ask upstream if they intend to fix #4757 in the 1.2.8 series.
> Unfortunately due to how the upstream tarball/build works, it is tricky to
> patch upstream files. If upstream doesn't intend to include this fix I can
> generate a patch to make it work.

Ok thanks.

> I had started working on packaging 1.4.0 as a way to fix these security bugs
> (and even did an upload to experimental) but I recently learned from
> upstream that:
>
> "The use of Check_MK without OMD environment and customization of paths is
> explicitly not supported anymore."
>
> ie you can't use check-mk stand-alone, you have to use OMD (and
> livestatus/WATO/multisite, the whole stack) and you have to use upstream's
> installer to upstream's paths. It's very much the "network appliance" model
> (or flatpak, docker image, etc)
> I don't know if we'll be able to make this work in Debian. (not to mention
> that nagios is gone and icinga1 will go away at some point)

Hmm, that sounds bad. I guess if that turns out to be true, then would
better alternative to drop check-mk completely from the Debian
archive? I mean specifically, for the buster release cycle, if 1.2.8
based series should be included then still.

> That prompted me to go back to 1.2.8 and package the latest release there in
> order to at least have something working without the security bugs.

Ok. I'm not too familiar with check-mk itself, I only worked on it
from tracking security fixes point of view. Can you say something, on
how long are the 1.2.8 series planned to be supported upstream?

Regards,
Salvatore

Message #49 received at 865497@bugs.debian.org (full text, mbox, reply):

From: Bastian Blank <waldi@debian.org>

To: 865497@bugs.debian.org

Subject: support status of check-mk-agent

Date: Wed, 17 Jan 2018 09:27:11 +0100

Hi

Is the agent still supported outside that "OMD environment"?

Bastian

-- 
Another Armenia, Belgium ... the weak innocents who always seem to be
located on a natural invasion route.
		-- Kirk, "Errand of Mercy", stardate 3198.4

Send a report that this bug log contains spam.