Bug 10874 - xymon new security issue CVE-2013-4173
: xymon new security issue CVE-2013-4173
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: MGA2TOO MGA2-64-OK MGA2-32-OK MGA3-64...
: validated_update
  Show dependency treegraph
Reported: 2013-07-29 13:47 CEST by David Walser
Modified: 2013-08-11 14:21 CEST (History)
4 users (show)

See Also:
Source RPM: xymon-4.2.3-13.mga4.src.rpm
Status comment:


Description David Walser 2013-07-29 13:47:55 CEST
A CVE was assigned to a security issue fixed in xymon 4.3.12:

Mageia 2 and Mageia 3 are also affected.

This package is also maintained and needs updated.


Steps to Reproduce:
Comment 1 Thomas Backlund 2013-08-05 18:49:17 CEST
Cauldron rpm patched: xymon-4.2.3-14.mga4
(I'll leave version upgrade to the maintainer)

Mga3 rpms:
xymon-4.2.3-13.mga3 (also name of srpm)

Mga2 rpms:
xymon-4.2.3-11.mga2 (also name of srpm)

This xymon update addresses the following security issue:

A security vulnerability has been found in version 4.x of the
Xymon Systems & Network Monitor tool 

The error permits a remote attacker to delete files on the server
running the Xymon trend-data daemon "xymond_rrd".
File deletion is done with the privileges of the user that Xymon is
running with, so it is limited to files available to the userid
running the Xymon service. This includes all historical data stored
by the Xymon monitoring system. (CVE-2013-4173)
Comment 2 Dave Hodgins 2013-08-06 03:12:06 CEST
Advisory 10874.adv uploaded to svn.
Comment 3 Dave Hodgins 2013-08-11 04:24:51 CEST
I'm not clear on how to reproduce the poc, so just testing that xymon is working.
After installing xymon on Mageia 2 i586 and x86_64 vb guest, in each ...
htpasswd -c /etc/xymon/hobbitpasswd dave
Edit /etc/xymon/bb-hosts, and add a line like x2v.hodgins.homeip.net

The line added to the i2v guest points to the x2v guest, and vice-versa.

service xymon start
firefox http://localhost/xymon &

Checked the various reports etc.

Testing complete on Mageia 2.
Comment 4 Dave Hodgins 2013-08-11 04:46:58 CEST
Mageia 3 is not working. Getting a 404 status code (Object not found)
After running
cp /etc/httpd/conf.d/hobbit-apache.conf /etc/httpd/conf/conf.d/
service httpd restart
I get a 403 status code (Access forbidden).
Comment 5 David Walser 2013-08-11 05:28:08 CEST
xymon-4.2.3-13.mga3 is building now, converting it for proper apache 2.4 support.
Comment 6 Dave Hodgins 2013-08-11 06:03:09 CEST
Advisory 10874.adv updated for new srpm.  Have to wait for the mirrors to
sync, so I'll likely leave the mga3 testing till tomorrow (later today now),
unless someone else tests it first.
Comment 7 Dave Hodgins 2013-08-11 07:16:34 CEST
Testing complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push 10874.adv to updates.
Comment 8 Thomas Backlund 2013-08-11 14:21:20 CEST
David, thanks for fixing mga3 and cauldron packages.

update pushed:

Note You need to log in before you can comment on or make changes to this bug.