Bug 25269

Summary: monit new security issues CVE-2019-1145[45]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: monit-5.22.0-1.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-08-11 21:23:23 CEST 
Ubuntu has issued an advisory on May 8:
https://usn.ubuntu.com/3971-1/

The issues are fixed upstream in 5.25.3.
Comment 1 David GEIGER 2019-08-19 10:09:12 CEST 
Done for mga6!
Comment 2 David Walser 2019-08-19 19:44:36 CEST 
Advisory:
========================

Updated monit package fixes security vulnerabilities:

Zack Flack discovered that Monit incorrectly handled certain input. A remote
authenticated user could exploit this to conduct cross-site scripting (XSS)
attacks (CVE-2019-11454).

Zack Flack discovered a buffer overread when Monit decoded certain crafted
URLs. An attacker could exploit this to leak potentially sensitive information
(CVE-2019-11455).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11455
https://usn.ubuntu.com/3971-1/
========================

Updated packages in core/updates_testing:
========================
monit-5.25.3-1.1.mga6

from monit-5.25.3-1.1.mga6.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2019-09-03 11:54:15 CEST 
MGA6-64 Plasma on Lenobo B50
No installation issues
Followed advice of configuring local .monitrc file as per bug24049 Comment 4, followed then test exactly as per bug24049 Comment 7.
I will not repeat all operations here as they are all exactly the same (apart from the pid number).
OK for me.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2019-09-05 04:54:20 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-06 19:24:29 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-09-06 23:11:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0246.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED