11944 – munin new security issues CVE-2013-6048 and CVE-2013-6359

Bug 11944 - munin new security issues CVE-2013-6048 and CVE-2013-6359

Summary: munin new security issues CVE-2013-6048 and CVE-2013-6359

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/576418/
Whiteboard:	has_procedure advisory mga3-64-ok mga...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-12-10 21:39 CET by David Walser
Modified:	2013-12-19 22:11 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	munin-2.0.12-2.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-12-10 21:39:21 CET

Debian has issued an advisory on December 9:
http://www.debian.org/security/2013/dsa-2815

The issues are fixed upstream in 2.0.18 (2.0.19 is also out fixing a bug).

I'm not sure if 2.1.x is affected, but I'd guess so.  No new release is out there.

Reproducible: 

Steps to Reproduce:

Comment 1 Guillaume Rousse 2013-12-15 20:06:40 CET

I just submitted munin-2.0.12-2.1 in updates/testing, porting upstream changes fixing those two issues.

Status: NEW => ASSIGNED

Comment 2 David Walser 2013-12-15 20:23:15 CET

Thanks Guillaume!  Are those fixes already in the version we have in Cauldron?

Advisory:
========================

Updated munin packages fix security vulnerabilities:

The Munin::Master::Node module of munin does not properly validate certain
data a node sends. A malicious node might exploit this to drive the munin-html
process into an infinite loop with memory exhaustion on the munin master
(CVE-2013-6048).

A malicious node, with a plugin enabled using "multigraph" as a multigraph
service name, can abort data collection for the entire node the plugin runs on
(CVE-2013-6359).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359
http://www.debian.org/security/2013/dsa-2815
========================

Updated packages in core/updates_testing:
========================
munin-2.0.12-2.1.mga3
munin-master-2.0.12-2.1.mga3
munin-node-2.0.12-2.1.mga3
munin-java-plugins-2.0.12-2.1.mga3
munin-async-2.0.12-2.1.mga3

from munin-2.0.12-2.1.mga3.src.rpm

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 3 Guillaume Rousse 2013-12-18 12:42:07 CET

We juste reverted the version in cauldron to stable release 2.0.19, which includes the fix.

Comment 4 claire robinson 2013-12-19 11:22:39 CET

Testing mga3 64

Before
------
Trying to set up the release version. Rather buggy. I couldn't get it going so installed the update.

With munin and munin-master installed, cron gives an error every 5 mins 'not a reference at /usr/lib/perl5/vendor_perl/5.16.3/Munin/Master/Utils.pm line 947.'.

munin-node shows errors on installation (below) but the service starts ok.

installing perl-IO-Multiplex-1.130.0-2.mga3.noarch.rpm perl-Net-Server-2.6.0-2.mga3.noarch.rpm perl-Net-SNMP-6.0.1-2.mga3.noarch.rpm munin-node-2.0.12-2.mga3.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################
      1/4: perl-Net-SNMP         ##########################
      2/4: perl-IO-Multiplex     ##########################
      3/4: perl-Net-Server       ##########################
      4/4: munin-node            ##########################
# The following plugins caused errors:
# ntp_states:
#       Non-zero exit during autoconf (2)
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability


http://localhost/munin and http://localhost/munin/static/ show 403 'Access forbidden' but /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place.


After
-----
Seems alot better with the updated packages. The web interface is accessible. The cron errors have stopped. No error from munin-node installation. Let it run for a while and the graphs started to accumulate data.

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 5 claire robinson 2013-12-19 12:21:01 CET

Testing complete mga3 32

Installing the update directly, rather than updating from the previous versions shows munin-node still shows errors on installation.

# The following plugins caused errors:
# hddtemp_smartctl:
#       Junk printed to stderr
# ntp_states:
#       Non-zero exit during autoconf (2)
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability


These don't seem to affect overall operation and appear to be just informational for plugins not supported on the host. smartmontools is not installed on this one which would account for the hddtemp_smartctl error.

After configuring the 'allow' lines in /etc/munin/munin-node.conf to allow connection from the munin-master and restarting munin-node service, the master started to receive updates from the remote host.

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 6 claire robinson 2013-12-19 12:43:47 CET

Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2013-12-19 22:11:55 CET

Update pushed:
http://advisories.mageia.org/MGASA-2013-0378.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.