A CVE has been assigned for a security issue in ganglia-web: http://openwall.com/lists/oss-security/2015/09/05/6 The upstream bug report linked in the message above has a suggested fix. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron by Solbu. Note the PoC on the upstream bug. Advisory: ======================== Updated ganglia-web package fixes security vulnerability: An issue with the use of unserialize() in ganglia-web allows authentication to be bypassed (CVE-2015-6816). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6816 http://openwall.com/lists/oss-security/2015/09/05/6 ======================== Updated packages in core/updates_testing: ======================== ganglia-web-3.5.10-3.1.mga4 ganglia-web-3.6.2-4.1.mga5 from SRPMS: ganglia-web-3.5.10-3.1.mga4.src.rpm ganglia-web-3.6.2-4.1.mga5.src.rpm
CC: (none) => cookerVersion: Cauldron => 5Assignee: cooker => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure
Johnny, could you give some instructions for installing this and setting it up enough to test the PoC? I can't get it to work. Mageia 5 gives me a 403 error and Mageia 4 gives me: <H4>There was an error collecting ganglia data (127.0.0.1:8652): fsockopen error: Connection refused</H4>
You need to start the gmond and gmetad services. The later provided by ganglia-gmetad.
(In reply to Johnny A. Solbu from comment #3) > You need to start the gmond and gmetad services. The later provided by > ganglia-gmetad. I saw no new services installed. Please give more detailed instructions.
I don't know what to tell you...
(In reply to Johnny A. Solbu from comment #5) > I don't know what to tell you... If we can't get this working at all, how are we supposed to test it so that we can issue this update? Presumably you know how this thing works. I installed it and I saw no new files in /lib/systemd/system, I got the error I printed in Comment 2 on Mageia 4, and on Mageia 5 it gives a 403 error page. Please let us know how to get this thing working.
I just tested on a mga4 VM, which has never had ganglia installed. I installed ganglia-web, which also wanted to install ganglia-core and ganglia-gmetad. Then start the needed services: (00:19:05) [root@mga4-x86_64 ~]# systemctl start httpd (00:19:10) [root@mga4-x86_64 ~]# systemctl start gmetad.service (00:19:16) [root@mga4-x86_64 ~]# systemctl start gmond.service And it works. At least here.
I have submited an updated mga5 package ganglia-web-3.6.2-4.2.mga5, that should also fix the 403 error. Beware of an .rpmnew file in the config dir.
I guess I don't know how to configure authentication correctly enough to make the PoC do anything interesting, but ganglia-web is functional before and after the update on Mageia 4 i586 and Mageia 5 i586. The conf_default.php should probably be in /etc, or if it can be overridden in another file, there should be a README.urpmi saying where to put that other file (presumably called conf.php). That can be fixed later though.
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK
(In reply to David Walser from comment #9) > I guess I don't know how to configure authentication correctly enough to > make the PoC do anything interesting, I don't use authentication in ganglia, either. When I need authentication, i usually resort to .htaccess. ;-) >The conf_default.php should probably be in /etc, or if it can be overridden in > another file, there should be a README.urpmi saying where to put that other > file (presumably called conf.php). That can be fixed later though. If so, it need to be symlinked from the webdir, as I think it's needed by the webserver, in order to configure the web client.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK => MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
In VirtualBox, M4, KDE, 64-bit Package(s) under test: ganglia-web default install of ganglia-web [root@localhost wilcal]# urpmi ganglia-web Package ganglia-web-3.5.10-3.mga4.noarch is already installed ganglia-web installs without error. gmetad & gmond are in MCC -> System -> Manage system services and can be stopped and started. httpd continues to run, stopped and started just fine. install ganglia-web from updates_testing [root@localhost wilcal]# urpmi ganglia-web Package ganglia-web-3.5.10-3.1.mga4.noarch is already installed ganglia-web update installs without error. gmetad & gmond are in MCC -> System -> Manage system services and can be stopped and started. httpd continues to run, stopped and started just fine.
CC: (none) => wilcal.intWhiteboard: MGA4TOO has_procedure MGA4-32-OK MGA5-32-OK advisory => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK advisory
In VirtualBox, M5, KDE, 64-bit Package(s) under test: ganglia-web default install of ganglia-web [root@localhost wilcal]# urpmi ganglia-web Package ganglia-web-3.6.2-4.mga5.noarch is already installed ganglia-web installs without error. gmetad & gmond are in MCC -> System -> Manage system services and can be stopped and started. httpd continues to run, stopped and started just fine. install ganglia-web from updates_testing [root@localhost wilcal]# urpmi ganglia-web Package ganglia-web-3.6.2-4.2.mga5.noarch is already installed ganglia-web update installs without error. gmetad & gmond are in MCC -> System -> Manage system services and can be stopped and started. httpd continues to run, stopped and started just fine.
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK advisory => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory
This update works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0375.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/657696/