Mageia alert MGASA-2012-0358 (munin) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0358: munin-2.0-0.rc5.2.1.mga2
 (2/core) 
Date:
    	       Tue, 11 Dec 2012 22:22:13 +0100
Message-ID:
    	       <20121211212213.GA23400@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0358
Date: 	December 11th, 2012
Affected releases: 	2


Description:
Updated munin packages fix security vulnerabilities:

The qmailscan plugin for Munin before 2.0 rc6 allows local users to
overwrite arbitrary files via a symlink attack on temporary files with
predictable names (CVE-2012-2103).

Munin before 2.0.6 stores plugin state files that run as root in the
same group-writable directory as non-root plugins, which allows local
users to execute arbitrary code by replacing a state file, as
demonstrated using the smart_ plugin (CVE-2012-3512).

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module
under Apache, allows remote attackers to load new configurations and
create files in arbitrary directories via the logdir command
(CVE-2012-3513).


Updated Packages:
munin-2.0-0.rc5.2.1.mga2
munin-master-2.0-0.rc5.2.1.mga2
munin-node-2.0-0.rc5.2.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3513
http://www.ubuntu.com/usn/usn-1622-1/
https://bugs.mageia.org/show_bug.cgi?id=7591
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)