A security issue fixed upstream in the Monit service manager has been announced: http://openwall.com/lists/oss-security/2016/10/27/17 The issue is fixed in 5.20.0, and the commit to fix it is linked in the message above.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11, olav, stewbintnAssignee: bugsquad => pkg-bugs
Fixed for both mga5 and Cauldron, updating to latest upstream 5.20.0 release.
CC: (none) => geiger.david68210
Thanks David! Advisory: ======================== Updated monit package fixes security vulnerability: The forms in Monit's Service Manager are vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host, disable/enable monitoring for a specific service (CVE-2016-7067). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7067 http://openwall.com/lists/oss-security/2016/10/27/17 ======================== Updated packages in core/updates_testing: ======================== monit-5.20.0-1.mga5 from monit-5.20.0-1.mga5.src.rpm
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
Testing M5-64 real hardware, OK Installed pre-update monit. It is very well self-documented in its extensive man page; and config file /etc/monitrc ; and once started, via a browser to http://localhost:2812 using pre-defined user=admin, password=monit. You need to be root to use it at the command line or edit the config file. It talks much of 'alerts' which seem to go normally to syslog. One scarcely needs to alter the config file - it monitors the system within generous pre-set limits anyway. For testing, these are the lines already active, or which I uncommented or altered to get some alerts: /etc/monitrc ------------ set daemon 60 # check services at 1-minute intervals set logfile syslog facility log_daemon set httpd port 2812 and use address localhost # only accept connection from localhost allow localhost # allow localhost to connect to the server and allow admin:monit # require user 'admin' with password 'monit' allow @monit # allow users of group 'monit' to connect (rw) allow @users readonly # allow users of group 'users' to connect readonly check system myhost.mydomain.tld if loadavg (1min) > 2 then alert if loadavg (5min) > 1 then alert if memory usage > 25% then alert if cpu usage (user) > 20% then alert if cpu usage (system) > 20% then alert check file database with path /etc/monitrc if timestamp < 1 minutes then alert [used 'touch' to break this] Tried:- # monit -t [checks the config file] # monit [launches the daemon] # monit status # monit reload [after altering the config file] and after browser use # monit quit [pre-update] http://localhost:2812 -------------------- At first use, demands a username & password. But not subsequently... The home page shows minimal info, with a few links worth clicking: 'running', the one under 'System', and for anything you added like the config file here called 'database'. Exceeded limits are shown in red. AFTER the update: monit-5.20.0-1.mga5 I discarded .rpmnew i.e. kept the current config file. Tests all similar to previously. This is OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
Advisory uploaded.
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
i586 virtualbox Installed monit 5.8 and checked the /etc/monitrc file. Started monit demon via systemctl before reading the notes in comment #4. # monit monit daemon with PID 4015 awakened Followed Lewis' lead and edited /etc/monitrc in similar fashion. http://localhost:2812 showed the Monit Service Manager page. Kept an eye on it for a couple of minutes while performing various tasks and then closed down. Installed the update. Checked the config file and started the daemon at the command line. # monit Starting Monit 5.20.0 daemon with http interface at [localhost]:2812 Reloaded the Service Manager page in the browser. Everything OK.
CC: (none) => tarazed25
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0375.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/706399/