Debian Bug report logs -
#760372
loganalyzer: CVE-2014-6070
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 3 Sep 2014 11:06:15 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version loganalyzer/3.6.5+dfsg-7
Fixed in version loganalyzer/3.6.6+dfsg-1
Done: Daniel Pocock <daniel@pocock.pro>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#760372; Package src:loganalyzer.
(Wed, 03 Sep 2014 11:06:20 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Wed, 03 Sep 2014 11:06:20 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: loganalyzer
Version: 3.6.5+dfsg-7
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for loganalyzer. But I was
not yet able to verify the vulnerability, but it is said to be fixed
in 3.6.6 upstream.
CVE-2014-6070[0]:
Syslog LogAnalyzer persistent XSS injection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-6070
[1] http://seclists.org/fulldisclosure/2014/Sep/17
[2] http://loganalyzer.adiscon.com/downloads/
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#760372; Package src:loganalyzer.
(Wed, 03 Sep 2014 11:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Pocock <daniel@pocock.pro>:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Wed, 03 Sep 2014 11:12:05 GMT) (full text, mbox, link).
Message #10 received at 760372@bugs.debian.org (full text, mbox, reply):
Hi Rainer, Andre,
Could you please comment on this security report?
Is the current Debian package affected?
Regards,
Daniel
On 03/09/14 13:04, Salvatore Bonaccorso wrote:
> Source: loganalyzer
> Version: 3.6.5+dfsg-7
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerability was published for loganalyzer. But I was
> not yet able to verify the vulnerability, but it is said to be fixed
> in 3.6.6 upstream.
>
> CVE-2014-6070[0]:
> Syslog LogAnalyzer persistent XSS injection
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-6070
> [1] http://seclists.org/fulldisclosure/2014/Sep/17
> [2] http://loganalyzer.adiscon.com/downloads/
>
> Regards,
> Salvatore
>
> _______________________________________________
> Pkg-monitoring-maintainers mailing list
> Pkg-monitoring-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#760372; Package src:loganalyzer.
(Wed, 03 Sep 2014 11:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Rainer Gerhards <rgerhards@hq.adiscon.com>:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Wed, 03 Sep 2014 11:18:04 GMT) (full text, mbox, link).
Message #15 received at 760372@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Andre just went to vacation, but to the best of my knowledge he worked with
the reporter and has released a new version to address this issue.
Rainer
On Wed, Sep 3, 2014 at 1:11 PM, Daniel Pocock <daniel@pocock.pro> wrote:
>
>
> Hi Rainer, Andre,
>
> Could you please comment on this security report?
>
> Is the current Debian package affected?
>
> Regards,
>
> Daniel
>
>
> On 03/09/14 13:04, Salvatore Bonaccorso wrote:
> > Source: loganalyzer
> > Version: 3.6.5+dfsg-7
> > Severity: important
> > Tags: security upstream fixed-upstream
> >
> > Hi,
> >
> > the following vulnerability was published for loganalyzer. But I was
> > not yet able to verify the vulnerability, but it is said to be fixed
> > in 3.6.6 upstream.
> >
> > CVE-2014-6070[0]:
> > Syslog LogAnalyzer persistent XSS injection
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2014-6070
> > [1] http://seclists.org/fulldisclosure/2014/Sep/17
> > [2] http://loganalyzer.adiscon.com/downloads/
> >
> > Regards,
> > Salvatore
> >
> > _______________________________________________
> > Pkg-monitoring-maintainers mailing list
> > Pkg-monitoring-maintainers@lists.alioth.debian.org
> >
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-monitoring-maintainers
>
>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#760372; Package src:loganalyzer.
(Wed, 03 Sep 2014 12:09:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Pocock <daniel@pocock.pro>:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Wed, 03 Sep 2014 12:09:13 GMT) (full text, mbox, link).
Message #20 received at 760372@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 03/09/14 13:15, Rainer Gerhards wrote:
> Andre just went to vacation, but to the best of my knowledge he worked
> with the reporter and has released a new version to address this issue.
Thanks for the feedback
Salvatore, I'd prefer to update the package closer to the freeze and
roll up any other changes in a single release.
People should not be making LogAnalyzer available to the world,
especially without additional access controls (HTTP authentication) so
that provides some protection against flaws that do exist in this product.
How would the security team feel if this package was classified in a
similar way to the ganglia-web package, e.g. security alerts are not RC
bugs and users advised to protect the URL with the webserver?
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#760372; Package src:loganalyzer.
(Sat, 06 Sep 2014 19:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Sat, 06 Sep 2014 19:09:09 GMT) (full text, mbox, link).
Message #25 received at 760372@bugs.debian.org (full text, mbox, reply):
Hi Daniel,
On Wed, Sep 03, 2014 at 02:05:53PM +0200, Daniel Pocock wrote:
> Salvatore, I'd prefer to update the package closer to the freeze and
> roll up any other changes in a single release.
Personal opinion: having a fix sooner in testing would be preferable.
Thiw way the whole package would recieve more testing already before
the freeze.
> People should not be making LogAnalyzer available to the world,
> especially without additional access controls (HTTP authentication) so
> that provides some protection against flaws that do exist in this product.
>
> How would the security team feel if this package was classified in a
> similar way to the ganglia-web package, e.g. security alerts are not RC
> bugs and users advised to protect the URL with the webserver?
It is hard to prevent a syslog analysis tool from processing data from
untrusted sources. Releasing the package mentioning such a restriction
to security support does somehow not make sense, considering the
intended use of the package.
In the concrete instance of
http://seclists.org/fulldisclosure/2014/Sep/17, a malicious syslog
client, by setting an appropriate hostname could perform a XSS
injection, even if the loganalyzer instance would be secured with
additional access controls. Is this correct and do you agree?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#760372; Package src:loganalyzer.
(Sun, 07 Sep 2014 06:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Pocock <daniel@pocock.pro>:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Sun, 07 Sep 2014 06:51:08 GMT) (full text, mbox, link).
Message #30 received at 760372@bugs.debian.org (full text, mbox, reply):
On 06/09/14 21:06, Salvatore Bonaccorso wrote:
> Hi Daniel,
>
> On Wed, Sep 03, 2014 at 02:05:53PM +0200, Daniel Pocock wrote:
>> Salvatore, I'd prefer to update the package closer to the freeze and
>> roll up any other changes in a single release.
>
> Personal opinion: having a fix sooner in testing would be preferable.
> Thiw way the whole package would recieve more testing already before
> the freeze.
>
>> People should not be making LogAnalyzer available to the world,
>> especially without additional access controls (HTTP authentication) so
>> that provides some protection against flaws that do exist in this product.
>>
>> How would the security team feel if this package was classified in a
>> similar way to the ganglia-web package, e.g. security alerts are not RC
>> bugs and users advised to protect the URL with the webserver?
>
> It is hard to prevent a syslog analysis tool from processing data from
> untrusted sources. Releasing the package mentioning such a restriction
> to security support does somehow not make sense, considering the
> intended use of the package.
>
> In the concrete instance of
> http://seclists.org/fulldisclosure/2014/Sep/17, a malicious syslog
> client, by setting an appropriate hostname could perform a XSS
> injection, even if the loganalyzer instance would be secured with
> additional access controls. Is this correct and do you agree?
>
Agreed - the majority of large networks don't have strict access control
on syslog and some rogue user could exploit this.
3.6.6+dfsg-1 has just been uploaded.
Reply sent
to Daniel Pocock <daniel@pocock.pro>:
You have taken responsibility.
(Sun, 07 Sep 2014 06:51:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 07 Sep 2014 06:51:13 GMT) (full text, mbox, link).
Message #35 received at 760372-close@bugs.debian.org (full text, mbox, reply):
Source: loganalyzer
Source-Version: 3.6.6+dfsg-1
We believe that the bug you reported is fixed in the latest version of
loganalyzer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 760372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Pocock <daniel@pocock.pro> (supplier of updated loganalyzer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 07 Sep 2014 08:32:12 +0200
Source: loganalyzer
Binary: loganalyzer
Architecture: source all
Version: 3.6.6+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Pocock <daniel@pocock.pro>
Description:
loganalyzer - web interface to syslog and event data
Closes: 760372
Changes:
loganalyzer (3.6.6+dfsg-1) unstable; urgency=high
.
* New upstream release.
* Fix cross-site-scripting CVE-2014-6070 (Closes: #760372)
Checksums-Sha1:
6da8b946b700abce880a7403eb69c999e77b84c2 2023 loganalyzer_3.6.6+dfsg-1.dsc
06231cb473ebc7ee31eb7b4a9360649358bd86a7 1037669 loganalyzer_3.6.6+dfsg.orig.tar.gz
3510686af81d0a8ed35406c515ba91189654c9fc 12656 loganalyzer_3.6.6+dfsg-1.debian.tar.xz
d8d23ebd7988647abc8ee06c415cc257ca5f42d1 485098 loganalyzer_3.6.6+dfsg-1_all.deb
Checksums-Sha256:
df21a1007a8e8f47984653f0fa1acd38b4816afba9bdba5da50ecd4c5060d9a5 2023 loganalyzer_3.6.6+dfsg-1.dsc
ecaecea000799ccac51405ce7cf17ec2eba7073a11952521a3b4da30cbab3926 1037669 loganalyzer_3.6.6+dfsg.orig.tar.gz
5b22a0de00eb6994a6530b82bb3701f6a463747a5114aa576245100945b45431 12656 loganalyzer_3.6.6+dfsg-1.debian.tar.xz
dd1e9d7fd8660d0dd9120b898813e99426723261f2bf234f8229f904f71570ad 485098 loganalyzer_3.6.6+dfsg-1_all.deb
Files:
dbd1daa3c13404d3b024966e5442a57f 485098 net optional loganalyzer_3.6.6+dfsg-1_all.deb
0d65ade482c2a2f289b0737ab4e1e0e5 2023 net optional loganalyzer_3.6.6+dfsg-1.dsc
9dc3fb3faa4454a3e807ce202345da35 1037669 net optional loganalyzer_3.6.6+dfsg.orig.tar.gz
d2894be56767a1ba0cb4fb8daeb0d5d8 12656 net optional loganalyzer_3.6.6+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJUC/6aAAoJEGxlgOd711bEs6kQAMFq/gkh4aF58QM5V9GDFtcN
CsLxGXaJm+Y7HlSuqY42r267ZEaiXy35FhPk9pTbj1b5dDGVw3tVnDSYzoTMLg5X
m/ZW4v0JS9xRHrUXn7FUSoYs7E14bqxFtIrs61So4A/AIB/RxeB1rcVMINvJai6e
bPQSVN8zaZMFRnQfejfYgOhOWsdoaDef0gUI7ouQPVOsNF2VGgqKYuf+9i2PndQk
b/9XwBe1Ve41MbeDei0d/7mliBqGocXhWbbjAns53Re9X4WoaFofPVyKye2W8hYi
95w4UPMu0vqRbxiz/hedrbT5f7iD8BHch+IHtWBpj4SmQKhnr7ElhV0+BJAoA2rf
EHPXE4vexYszo5tDNpEmt/UjVwtizJsNm5TYI1mdJ7MekUDhitATP1UzDmeFZcdM
P9frs7MFOoPyzQoNPYMtAXNvi29n5NgEFLWTX9Xnyk9QayOecaWdy3i5Hz6DOJVs
m3E3H3AL7O2p1B3GiSvD9hyPTEK1Hc5j9jWJWAY63FMhnGGUaWPufxooUTGjcAc+
FiG5kxe5qSccdPELdxonHuKLcPjZKWjkBPOjMvWm3Eh/DszZ1furiizosxRPAD8O
LNq+eTB/r2djAWFIiguBnR2/fONH9Gc24y3/yqB7JlBtTk8WYGPyRT/tQcis9St3
5uCruyarc7vh+pGj+1KJ
=gWNK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Oct 2014 07:35:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:38:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon