Bug 20335 - munin new security issue CVE-2017-6188
Summary: munin new security issue CVE-2017-6188
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK MGA5-32-OK has_procedure a...
Keywords: validated_update
Depends on:
Reported: 2017-02-23 01:27 CET by David Walser
Modified: 2017-04-04 08:44 CEST (History)
3 users (show)

See Also:
Source RPM: munin-2.0.25-3.mga6.src.rpm
Status comment:


Description David Walser 2017-02-23 01:27:21 CET
A CVE has been assigned for a security issue in munin:

Debian has a patch, as mentioned on their bug:

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-02-23 11:36:50 CET
Assigning to the registered maintainer.
Comment 2 David Walser 2017-02-26 17:18:28 CET
Debian has issued an advisory for this on February 25:

It was also fixed upstream in 2.0.31.

Patched packages uploaded for Mageia 5 and Cauldron.


Updated munin packages fix security vulnerability:

Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET parameters
are not properly handled, allowing to inject options into munin-cgi-graph and
overwriting any file accessible by the user running the cgi-process


Updated packages in core/updates_testing:

from munin-2.0.25-1.1.mga5.src.rpm
Comment 3 Herman Viaene 2017-02-28 15:12:02 CET
MGA5-32 on Asus A6000VM
No installation issues
Ref bug 11944 Comment 4, when pointing to 
I get Error 403
and in /var/log/httpd/error_log I get
[Tue Feb 28 14:25:06.656432 2017] [autoindex:error] [pid 3574] [client] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:25:43.965717 2017] [autoindex:error] [pid 3573] [client] AH01276: Cannot serve directory /usr/share/munin/static/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:38:06.228800 2017] [autoindex:error] [pid 3572] [client] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
The /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place.

I googled on these errors and all I found referred to /etc/munin/apache.conf, but this file does not exist, nor is there any mentionof munin in the httpd.conf file.
Comment 4 David Walser 2017-03-02 12:11:14 CET
Debian has done a regression update today (March 2):

Will update the patch when I get a chance.
Comment 5 Dave Hodgins 2017-04-04 06:07:44 CEST
Let's get this one out.

Installed all of the munin packages.

Starting with http://guide.munin-monitoring.org/en/latest/installation/configuration.html#configure-web-server
but took some digging to figure out.

[root@i5v ~]# munin-node-configure --shell --families=contrib,auto | sh -x
# The following plugins caused errors:
# hddtemp_smartctl:
#       Junk printed to stderr
# http_loadtime:
#       Non-zero exit during autoconf (2)
# netstat_multi:
#       Wrong amount of autoconf
# proc:
#       In family 'auto' but doesn't have 'autoconf' capability
# samba:
#       Junk printed to stderr
+ ln -s /usr/share/munin/plugins/apc_nis /etc/munin/plugins/apc_nis
+ ln -s /usr/share/munin/plugins/hddtempd /etc/munin/plugins/hddtempd
+ ln -s /usr/share/munin/plugins/meminfo /etc/munin/plugins/meminfo

Enabled and then started the services and apache ...
[root@i5v system]# systemctl enable munin-fcgi-html.service
[root@i5v system]# systemctl enable munin-fcgi-graph.service
[root@i5v system]# systemctl enable munin-node.service
[root@i5v system]# systemctl start munin-fcgi-html.service
[root@i5v system]# systemctl start munin-fcgi-graph.service
[root@i5v system]# systemctl start munin-node.service
[root@i5v system]# systemctl restart httpd.service
Then, as regular user was able to access http://localhost/munin/
and confirmed the graphs are working, and at least some have data.

Installed the updates, restarted apache and confirmed still working.

Same testing completed on my x86_64 Mageia 5 virtualbox host.

Validating the update.
Comment 6 Mageia Robot 2017-04-04 08:44:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Note You need to log in before you can comment on or make changes to this bug.