A CVE was assigned to a security issue fixed in xymon 4.3.12: http://openwall.com/lists/oss-security/2013/07/27/3 Mageia 2 and Mageia 3 are also affected. This package is also maintained and needs updated. Reproducible: Steps to Reproduce:
Cauldron rpm patched: xymon-4.2.3-14.mga4 (I'll leave version upgrade to the maintainer) Mga3 rpms: xymon-4.2.3-13.mga3 (also name of srpm) xymon-client-4.2.3-13.mga3 Mga2 rpms: xymon-4.2.3-11.mga2 (also name of srpm) xymon-client-4.2.3-11.mga2 Advisory: This xymon update addresses the following security issue: A security vulnerability has been found in version 4.x of the Xymon Systems & Network Monitor tool The error permits a remote attacker to delete files on the server running the Xymon trend-data daemon "xymond_rrd". File deletion is done with the privileges of the user that Xymon is running with, so it is limited to files available to the userid running the Xymon service. This includes all historical data stored by the Xymon monitoring system. (CVE-2013-4173)
CC: (none) => bgmilne, tmbHardware: i586 => AllVersion: Cauldron => 3Assignee: bgmilne => qa-bugsWhiteboard: (none) => MGA2TOO
Advisory 10874.adv uploaded to svn.
CC: (none) => davidwhodgins
I'm not clear on how to reproduce the poc, so just testing that xymon is working. After installing xymon on Mageia 2 i586 and x86_64 vb guest, in each ... htpasswd -c /etc/xymon/hobbitpasswd dave Edit /etc/xymon/bb-hosts, and add a line like 192.168.10.110 x2v.hodgins.homeip.net The line added to the i2v guest points to the x2v guest, and vice-versa. service xymon start firefox http://localhost/xymon & Checked the various reports etc. Testing complete on Mageia 2.
Whiteboard: MGA2TOO => MGA2TOO MGA2-64-OK MGA2-32-OK
Mageia 3 is not working. Getting a 404 status code (Object not found) After running cp /etc/httpd/conf.d/hobbit-apache.conf /etc/httpd/conf/conf.d/ service httpd restart I get a 403 status code (Access forbidden).
Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA2-64-OK MGA2-32-OK feedback
xymon-4.2.3-13.mga3 is building now, converting it for proper apache 2.4 support.
Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK feedback => MGA2TOO MGA2-64-OK MGA2-32-OK
Advisory 10874.adv updated for new srpm. Have to wait for the mirrors to sync, so I'll likely leave the mga3 testing till tomorrow (later today now), unless someone else tests it first.
Testing complete on Mageia 3 i586 and x86_64. Could someone from the sysadmin team push 10874.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
David, thanks for fixing mga3 and cauldron packages. update pushed: http://advisories.mageia.org/MGASA-2013-0243.html
Status: NEW => RESOLVEDResolution: (none) => FIXED