Bug 20335 - munin new security issue CVE-2017-6188
: munin new security issue CVE-2017-6188
Status: NEW
Product: Mageia
Classification: Unclassified
Component: Security
: 5
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: feedback
:
:
:
  Show dependency treegraph
 
Reported: 2017-02-23 01:27 CET by David Walser
Modified: 2017-03-02 12:11 CET (History)
1 user (show)

See Also:
Source RPM: munin-2.0.25-3.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-02-23 01:27:21 CET
A CVE has been assigned for a security issue in munin:
http://openwall.com/lists/oss-security/2017/02/22/4

Debian has a patch, as mentioned on their bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-02-23 11:36:50 CET
Assigning to the registered maintainer.
Comment 2 David Walser 2017-02-26 17:18:28 CET
Debian has issued an advisory for this on February 25:
https://www.debian.org/security/2017/dsa-3794

It was also fixed upstream in 2.0.31.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated munin packages fix security vulnerability:

Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET parameters
are not properly handled, allowing to inject options into munin-cgi-graph and
overwriting any file accessible by the user running the cgi-process
(CVE-2017-6188).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6188
https://www.debian.org/security/2017/dsa-3794
========================

Updated packages in core/updates_testing:
========================
munin-2.0.25-1.1.mga5
munin-master-2.0.25-1.1.mga5
munin-node-2.0.25-1.1.mga5
munin-java-plugins-2.0.25-1.1.mga5
munin-async-2.0.25-1.1.mga5

from munin-2.0.25-1.1.mga5.src.rpm
Comment 3 Herman Viaene 2017-02-28 15:12:02 CET
MGA5-32 on Asus A6000VM
No installation issues
Ref bug 11944 Comment 4, when pointing to 
http://localhost/munin 
I get Error 403
and in /var/log/httpd/error_log I get
[Tue Feb 28 14:25:06.656432 2017] [autoindex:error] [pid 3574] [client 127.0.0.1:38618] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:25:43.965717 2017] [autoindex:error] [pid 3573] [client 127.0.0.1:38622] AH01276: Cannot serve directory /usr/share/munin/static/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
[Tue Feb 28 14:38:06.228800 2017] [autoindex:error] [pid 3572] [client 127.0.0.1:38636] AH01276: Cannot serve directory /var/lib/munin/html/: No matching DirectoryIndex (index.php,index.phtml,index.html) found, and server-generated directory index forbidden by Options directive
The /etc/httpd/conf/sites.d/munin.conf shows 'Require all granted' for each directory and aliases in place.

I googled on these errors and all I found referred to /etc/munin/apache.conf, but this file does not exist, nor is there any mentionof munin in the httpd.conf file.
Comment 4 David Walser 2017-03-02 12:11:14 CET
Debian has done a regression update today (March 2):
https://lists.debian.org/debian-security-announce/2017/msg00053.html

Will update the patch when I get a chance.

Note You need to log in before you can comment on or make changes to this bug.