Mageia alert MGASA-2013-0243 (xymon) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2013-0243: Updated xymon package fixes security vulnerability. 
Date:
    	       Sun, 11 Aug 2013 14:20:10 +0200
Message-ID:
    	       <20130811122010.42A0948413@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2013-0243 - Updated xymon package fixes security vulnerability.

Publication date: 11 Aug 2013
URL: http://advisories.mageia.org/MGASA-2013-0243.html
Type: security
Affected Mageia releases: 2, 3
CVE: CVE-2013-4173

Description:
A security vulnerability has been found in version 4.x of the
Xymon Systems & Network Monitor tool 

The error permits a remote attacker to delete files on the server
running the Xymon trend-data daemon "xymond_rrd".
File deletion is done with the privileges of the user that Xymon is
running with, so it is limited to files available to the userid
running the Xymon service. This includes all historical data stored
by the Xymon monitoring system. (CVE-2013-4173)

References:
- https://bugs.mageia.org/show_bug.cgi?id=10874
- http://openwall.com/lists/oss-security/2013/07/27/3
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4173

SRPMS:
- 3/core/xymon-4.2.3-14.mga3
- 2/core/xymon-4.2.3-11.mga2
(Log in to post comments)