Bug 11944

Summary: munin new security issues CVE-2013-6048 and CVE-2013-6359
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: guillomovitch, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/576418/
Whiteboard: has_procedure advisory mga3-64-ok mga3-32-ok
Source RPM: munin-2.0.12-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-12-10 21:39:21 CET 
Debian has issued an advisory on December 9:
http://www.debian.org/security/2013/dsa-2815

The issues are fixed upstream in 2.0.18 (2.0.19 is also out fixing a bug).

I'm not sure if 2.1.x is affected, but I'd guess so.  No new release is out there.

Reproducible: 

Steps to Reproduce:
Comment 1 Guillaume Rousse 2013-12-15 20:06:40 CET 
I just submitted munin-2.0.12-2.1 in updates/testing, porting upstream changes fixing those two issues.

Status: NEW => ASSIGNED

Comment 2 David Walser 2013-12-15 20:23:15 CET 
Thanks Guillaume!  Are those fixes already in the version we have in Cauldron?

Advisory:
========================

Updated munin packages fix security vulnerabilities:

The Munin::Master::Node module of munin does not properly validate certain
data a node sends. A malicious node might exploit this to drive the munin-html
process into an infinite loop with memory exhaustion on the munin master
(CVE-2013-6048).

A malicious node, with a plugin enabled using "multigraph" as a multigraph
service name, can abort data collection for the entire node the plugin runs on
(CVE-2013-6359).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359
http://www.debian.org/security/2013/dsa-2815
========================

Updated packages in core/updates_testing:
========================
munin-2.0.12-2.1.mga3
munin-master-2.0.12-2.1.mga3
munin-node-2.0.12-2.1.mga3
munin-java-plugins-2.0.12-2.1.mga3
munin-async-2.0.12-2.1.mga3

from munin-2.0.12-2.1.mga3.src.rpm

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 3 Guillaume Rousse 2013-12-18 12:42:07 CET 
We juste reverted the version in cauldron to stable release 2.0.19, which includes the fix.
Comment 4 claire robinson 2013-12-19 11:22:39 CET 
Testing mga3 64

Before
------
Trying to set up the release version. Rather buggy. I couldn't get it going so installed the update.

With munin and munin-master installed, cron gives an error every 5 mins 'not a reference at /usr/lib/perl5/vendor_perl/5.16.3/Munin/Master/Utils.pm line 947.'.

munin-node shows errors on installation (below) but the service starts ok.

installing perl-IO-Multiplex-1.130.0-2.mga3.noarch.rpm perl-Net-Server-2.6.0-2.mga3.noarch.rpm perl-Net-SNMP-6.0.1-2.mga3.noarch.rpm munin-node-2.0.12-2.mga3.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################
      1/4: perl-Net-SNMP         ##########################
      2/4: perl-IO-Multiplex     ##########################
      3/4: perl-Net-Server       ##########################
      4/4: munin-node            ##########################
# The following plugins caused errors:
# ntp_states:
#       Non-zero exit during autoconf (2)
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability


http://localhost/munin and http://localhost/munin/static/ show 403 'Access forbidden' but /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place.


After
-----
Seems alot better with the updated packages. The web interface is accessible. The cron errors have stopped. No error from munin-node installation. Let it run for a while and the graphs started to accumulate data.

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 5 claire robinson 2013-12-19 12:21:01 CET 
Testing complete mga3 32

Installing the update directly, rather than updating from the previous versions shows munin-node still shows errors on installation.

# The following plugins caused errors:
# hddtemp_smartctl:
#       Junk printed to stderr
# ntp_states:
#       Non-zero exit during autoconf (2)
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability


These don't seem to affect overall operation and appear to be just informational for plugins not supported on the host. smartmontools is not installed on this one which would account for the hddtemp_smartctl error.

After configuring the 'allow' lines in /etc/munin/munin-node.conf to allow connection from the munin-master and restarting munin-node service, the master started to receive updates from the remote host.

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 6 claire robinson 2013-12-19 12:43:47 CET 
Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2013-12-19 22:11:55 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0378.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED