Mageia Bugzilla – Bug 10874
xymon new security issue CVE-2013-4173
Last modified: 2013-08-11 14:21:20 CEST
A CVE was assigned to a security issue fixed in xymon 4.3.12:
Mageia 2 and Mageia 3 are also affected.
This package is also maintained and needs updated.
Steps to Reproduce:
Cauldron rpm patched: xymon-4.2.3-14.mga4
(I'll leave version upgrade to the maintainer)
xymon-4.2.3-13.mga3 (also name of srpm)
xymon-4.2.3-11.mga2 (also name of srpm)
This xymon update addresses the following security issue:
A security vulnerability has been found in version 4.x of the
Xymon Systems & Network Monitor tool
The error permits a remote attacker to delete files on the server
running the Xymon trend-data daemon "xymond_rrd".
File deletion is done with the privileges of the user that Xymon is
running with, so it is limited to files available to the userid
running the Xymon service. This includes all historical data stored
by the Xymon monitoring system. (CVE-2013-4173)
Advisory 10874.adv uploaded to svn.
I'm not clear on how to reproduce the poc, so just testing that xymon is working.
After installing xymon on Mageia 2 i586 and x86_64 vb guest, in each ...
htpasswd -c /etc/xymon/hobbitpasswd dave
Edit /etc/xymon/bb-hosts, and add a line like
The line added to the i2v guest points to the x2v guest, and vice-versa.
service xymon start
firefox http://localhost/xymon &
Checked the various reports etc.
Testing complete on Mageia 2.
Mageia 3 is not working. Getting a 404 status code (Object not found)
cp /etc/httpd/conf.d/hobbit-apache.conf /etc/httpd/conf/conf.d/
service httpd restart
I get a 403 status code (Access forbidden).
xymon-4.2.3-13.mga3 is building now, converting it for proper apache 2.4 support.
Advisory 10874.adv updated for new srpm. Have to wait for the mirrors to
sync, so I'll likely leave the mga3 testing till tomorrow (later today now),
unless someone else tests it first.
Testing complete on Mageia 3 i586 and x86_64.
Could someone from the sysadmin team push 10874.adv to updates.
David, thanks for fixing mga3 and cauldron packages.