Debian has issued an advisory on December 9: http://www.debian.org/security/2013/dsa-2815 The issues are fixed upstream in 2.0.18 (2.0.19 is also out fixing a bug). I'm not sure if 2.1.x is affected, but I'd guess so. No new release is out there. Reproducible: Steps to Reproduce:
I just submitted munin-2.0.12-2.1 in updates/testing, porting upstream changes fixing those two issues.
Status: NEW => ASSIGNED
Thanks Guillaume! Are those fixes already in the version we have in Cauldron? Advisory: ======================== Updated munin packages fix security vulnerabilities: The Munin::Master::Node module of munin does not properly validate certain data a node sends. A malicious node might exploit this to drive the munin-html process into an infinite loop with memory exhaustion on the munin master (CVE-2013-6048). A malicious node, with a plugin enabled using "multigraph" as a multigraph service name, can abort data collection for the entire node the plugin runs on (CVE-2013-6359). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359 http://www.debian.org/security/2013/dsa-2815 ======================== Updated packages in core/updates_testing: ======================== munin-2.0.12-2.1.mga3 munin-master-2.0.12-2.1.mga3 munin-node-2.0.12-2.1.mga3 munin-java-plugins-2.0.12-2.1.mga3 munin-async-2.0.12-2.1.mga3 from munin-2.0.12-2.1.mga3.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
We juste reverted the version in cauldron to stable release 2.0.19, which includes the fix.
Testing mga3 64 Before ------ Trying to set up the release version. Rather buggy. I couldn't get it going so installed the update. With munin and munin-master installed, cron gives an error every 5 mins 'not a reference at /usr/lib/perl5/vendor_perl/5.16.3/Munin/Master/Utils.pm line 947.'. munin-node shows errors on installation (below) but the service starts ok. installing perl-IO-Multiplex-1.130.0-2.mga3.noarch.rpm perl-Net-Server-2.6.0-2.mga3.noarch.rpm perl-Net-SNMP-6.0.1-2.mga3.noarch.rpm munin-node-2.0.12-2.mga3.noarch.rpm from /var/cache/urpmi/rpms Preparing... ########################## 1/4: perl-Net-SNMP ########################## 2/4: perl-IO-Multiplex ########################## 3/4: perl-Net-Server ########################## 4/4: munin-node ########################## # The following plugins caused errors: # ntp_states: # Non-zero exit during autoconf (2) # proc: # In family 'auto' but doesn't have 'autoconf' capability http://localhost/munin and http://localhost/munin/static/ show 403 'Access forbidden' but /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place. After ----- Seems alot better with the updated packages. The web interface is accessible. The cron errors have stopped. No error from munin-node installation. Let it run for a while and the graphs started to accumulate data.
Whiteboard: (none) => has_procedure mga3-64-ok
Testing complete mga3 32 Installing the update directly, rather than updating from the previous versions shows munin-node still shows errors on installation. # The following plugins caused errors: # hddtemp_smartctl: # Junk printed to stderr # ntp_states: # Non-zero exit during autoconf (2) # proc: # In family 'auto' but doesn't have 'autoconf' capability These don't seem to affect overall operation and appear to be just informational for plugins not supported on the host. smartmontools is not installed on this one which would account for the hddtemp_smartctl error. After configuring the 'allow' lines in /etc/munin/munin-node.conf to allow connection from the munin-master and restarting munin-node service, the master started to receive updates from the remote host.
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
Validating. Advisory uploaded. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0378.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED