Bug 11944 - munin new security issues CVE-2013-6048 and CVE-2013-6359
: munin new security issues CVE-2013-6048 and CVE-2013-6359
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/576418/
: has_procedure advisory mga3-64-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-12-10 21:39 CET by David Walser
Modified: 2013-12-19 22:11 CET (History)
3 users (show)

See Also:
Source RPM: munin-2.0.12-2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-12-10 21:39:21 CET
Debian has issued an advisory on December 9:
http://www.debian.org/security/2013/dsa-2815

The issues are fixed upstream in 2.0.18 (2.0.19 is also out fixing a bug).

I'm not sure if 2.1.x is affected, but I'd guess so.  No new release is out there.

Reproducible: 

Steps to Reproduce:
Comment 1 Guillaume Rousse 2013-12-15 20:06:40 CET
I just submitted munin-2.0.12-2.1 in updates/testing, porting upstream changes fixing those two issues.
Comment 2 David Walser 2013-12-15 20:23:15 CET
Thanks Guillaume!  Are those fixes already in the version we have in Cauldron?

Advisory:
========================

Updated munin packages fix security vulnerabilities:

The Munin::Master::Node module of munin does not properly validate certain
data a node sends. A malicious node might exploit this to drive the munin-html
process into an infinite loop with memory exhaustion on the munin master
(CVE-2013-6048).

A malicious node, with a plugin enabled using "multigraph" as a multigraph
service name, can abort data collection for the entire node the plugin runs on
(CVE-2013-6359).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359
http://www.debian.org/security/2013/dsa-2815
========================

Updated packages in core/updates_testing:
========================
munin-2.0.12-2.1.mga3
munin-master-2.0.12-2.1.mga3
munin-node-2.0.12-2.1.mga3
munin-java-plugins-2.0.12-2.1.mga3
munin-async-2.0.12-2.1.mga3

from munin-2.0.12-2.1.mga3.src.rpm
Comment 3 Guillaume Rousse 2013-12-18 12:42:07 CET
We juste reverted the version in cauldron to stable release 2.0.19, which includes the fix.
Comment 4 claire robinson 2013-12-19 11:22:39 CET
Testing mga3 64

Before
------
Trying to set up the release version. Rather buggy. I couldn't get it going so installed the update.

With munin and munin-master installed, cron gives an error every 5 mins 'not a reference at /usr/lib/perl5/vendor_perl/5.16.3/Munin/Master/Utils.pm line 947.'.

munin-node shows errors on installation (below) but the service starts ok.

installing perl-IO-Multiplex-1.130.0-2.mga3.noarch.rpm perl-Net-Server-2.6.0-2.mga3.noarch.rpm perl-Net-SNMP-6.0.1-2.mga3.noarch.rpm munin-node-2.0.12-2.mga3.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################
      1/4: perl-Net-SNMP         ##########################
      2/4: perl-IO-Multiplex     ##########################
      3/4: perl-Net-Server       ##########################
      4/4: munin-node            ##########################
# The following plugins caused errors:
# ntp_states:
#       Non-zero exit during autoconf (2)
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability


http://localhost/munin and http://localhost/munin/static/ show 403 'Access forbidden' but /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place.


After
-----
Seems alot better with the updated packages. The web interface is accessible. The cron errors have stopped. No error from munin-node installation. Let it run for a while and the graphs started to accumulate data.
Comment 5 claire robinson 2013-12-19 12:21:01 CET
Testing complete mga3 32

Installing the update directly, rather than updating from the previous versions shows munin-node still shows errors on installation.

# The following plugins caused errors:
# hddtemp_smartctl:
#       Junk printed to stderr
# ntp_states:
#       Non-zero exit during autoconf (2)
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability


These don't seem to affect overall operation and appear to be just informational for plugins not supported on the host. smartmontools is not installed on this one which would account for the hddtemp_smartctl error.

After configuring the 'allow' lines in /etc/munin/munin-node.conf to allow connection from the munin-master and restarting munin-node service, the master started to receive updates from the remote host.
Comment 6 claire robinson 2013-12-19 12:43:47 CET
Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 7 Thomas Backlund 2013-12-19 22:11:55 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0378.html

Note You need to log in before you can comment on or make changes to this bug.