A CVE has been assigned for a security issue in munin:
Debian has a patch, as mentioned on their bug:
Mageia 5 is also affected.
Assigning to the registered maintainer.
Debian has issued an advisory for this on February 25:
It was also fixed upstream in 2.0.31.
Patched packages uploaded for Mageia 5 and Cauldron.
Updated munin packages fix security vulnerability:
Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET parameters
are not properly handled, allowing to inject options into munin-cgi-graph and
overwriting any file accessible by the user running the cgi-process
Updated packages in core/updates_testing:
MGA5-32 on Asus A6000VM
No installation issues
Ref bug 11944 Comment 4, when pointing to
I get Error 403
and in /var/log/httpd/error_log I get
[Tue Feb 28 14:25:06.656432 2017] [autoindex:error] [pid 3574] [client 127.0.0.1:38618] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:25:43.965717 2017] [autoindex:error] [pid 3573] [client 127.0.0.1:38622] AH01276: Cannot serve directory /usr/share/munin/static/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:38:06.228800 2017] [autoindex:error] [pid 3572] [client 127.0.0.1:38636] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
The /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place.
I googled on these errors and all I found referred to /etc/munin/apache.conf, but this file does not exist, nor is there any mentionof munin in the httpd.conf file.
Debian has done a regression update today (March 2):
Will update the patch when I get a chance.
Let's get this one out.
Installed all of the munin packages.
Starting with http://guide.munin-monitoring.org/en/latest/installation/configuration.html#configure-web-server
but took some digging to figure out.
[root@i5v ~]# munin-node-configure --shell --families=contrib,auto | sh -x
# The following plugins caused errors:
# Junk printed to stderr
# Non-zero exit during autoconf (2)
# Wrong amount of autoconf
# In family 'auto' but doesn't have 'autoconf' capability
# Junk printed to stderr
+ ln -s /usr/share/munin/plugins/apc_nis /etc/munin/plugins/apc_nis
+ ln -s /usr/share/munin/plugins/hddtempd /etc/munin/plugins/hddtempd
+ ln -s /usr/share/munin/plugins/meminfo /etc/munin/plugins/meminfo
Enabled and then started the services and apache ...
[root@i5v system]# systemctl enable munin-fcgi-html.service
[root@i5v system]# systemctl enable munin-fcgi-graph.service
[root@i5v system]# systemctl enable munin-node.service
[root@i5v system]# systemctl start munin-fcgi-html.service
[root@i5v system]# systemctl start munin-fcgi-graph.service
[root@i5v system]# systemctl start munin-node.service
[root@i5v system]# systemctl restart httpd.service
Then, as regular user was able to access http://localhost/munin/
and confirmed the graphs are working, and at least some have data.
Installed the updates, restarted apache and confirmed still working.
Same testing completed on my x86_64 Mageia 5 virtualbox host.
Validating the update.
MGA5-64-OK MGA5-32-OK has_procedure advisoryCC:
An update for this issue has been pushed to the Mageia Updates repository.