Debian Bug report logs -
#798213
ganglia-web: CVE-2015-6816: auth bypass
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#798213; Package src:ganglia-web.
(Sun, 06 Sep 2015 20:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Sun, 06 Sep 2015 20:48:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ganglia-web
Version: 3.6.1-1
Severity: important
Tags: security patch upstream
Hi,
the following vulnerability was published for ganglia-web.
CVE-2015-6816[0]:
ganglia-web auth bypass
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-6816
[1] https://github.com/ganglia/ganglia-web/issues/267
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 01 Oct 2015 16:54:20 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#798213; Package src:ganglia-web.
(Sun, 08 Nov 2015 18:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Sun, 08 Nov 2015 18:15:10 GMT) (full text, mbox, link).
Message #14 received at 798213@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Sep 06, 2015 at 10:45:29PM +0200, Salvatore Bonaccorso wrote:
> Source: ganglia-web
> Version: 3.6.1-1
> Severity: important
> Tags: security patch upstream
>
> Hi,
>
> the following vulnerability was published for ganglia-web.
>
> CVE-2015-6816[0]:
> ganglia-web auth bypass
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2015-6816
> [1] https://github.com/ganglia/ganglia-web/issues/267
*ping*?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>:
Bug#798213; Package src:ganglia-web.
(Mon, 09 Nov 2015 12:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Pocock <daniel@pocock.pro>:
Extra info received and forwarded to list. Copy sent to Debian Monitoring Maintainers <pkg-monitoring-maintainers@lists.alioth.debian.org>.
(Mon, 09 Nov 2015 12:21:06 GMT) (full text, mbox, link).
Message #19 received at 798213@bugs.debian.org (full text, mbox, reply):
On 08/11/15 18:11, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Sep 06, 2015 at 10:45:29PM +0200, Salvatore Bonaccorso wrote:
>> Source: ganglia-web
>> Version: 3.6.1-1
>> Severity: important
>> Tags: security patch upstream
>>
>> Hi,
>>
>> the following vulnerability was published for ganglia-web.
>>
>> CVE-2015-6816[0]:
>> ganglia-web auth bypass
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2015-6816
>> [1] https://github.com/ganglia/ganglia-web/issues/267
> *ping*?
I did a review of the latest upstream releases (both ganglia-web and the
ganglia agent) and there are some new JavaScript dependencies that need
to be packaged
https://cdnjs.cloudflare.com/ajax/libs/cubism/1.6.0/cubism.v1.min.js
https://cdnjs.cloudflare.com/ajax/libs/protovis/3.3.1/protovis.min.js
https://cdnjs.cloudflare.com/ajax/libs/jstree/3.2.1/jstree.min.js
Given that we have given users of this package a disclaimer[1] about
security support and advised them to protect the web interface with an
ACL or HTTP authentication, how urgent is resolving this bug?
Regards,
Daniel
1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702775
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:37:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon