|
|
Subscribe / Log in / New account

Debian alert DLA-836-2 (munin)



From:
    	      Jonas Meurer <mejo@debian.org> 


To:
    	      debian-lts-announce@lists.debian.org 


Subject:
    	      [SECURITY] [DLA 836-2] munin regression update 


Date:
    	      Fri, 3 Mar 2017 01:54:12 +0100


Message-ID:
    	      <76d38cdf-4616-bea9-628c-88fea970bdb6@debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : munin
Version        : 2.0.6-4+deb7u4
Debian Bug     : 856455 856536


The update for munin issued as DLA-836-1 caused a regression in the
zooming functionality in munin-cgi-graph. Updated packages are now
available to correct this issue. For reference, the original advisory
text follows.

Stevie Trujillo discovered a command injection vulnerability in munin,
a network-wide graphing framework. The CGI script for drawing graphs
allowed to pass arbitrary GET parameters to local shell command,
allowing command execution as the user that runs the webserver.

For Debian 7 "Wheezy", these problems have been fixed in version
2.0.6-4+deb7u4.

We recommend that you upgrade your munin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -- 
Jonas Meurer


-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAli4vrQQHG1lam9AZGVi
aWFuLm9yZwAKCRBSYuf/SRBJ/vzED/9e0EaXAO9Xc96w+VRHEukAs6uWuYeCKGtt
WmGWoTOGqe1HATwvMxN7gRK/7wAkNeeQbL/2KPl6Vor7r1k6rRM7NPpRxLpB/+1e
n+jS/+LyDPsM8uA8LXDKLqDKP7tHx5azIciAa85aBe1JuIikk9URWqVtxaRi9J7b
PkUkvISDLPxBka2Ms7bqttbOhQpAEbx4t6uOXgqCNh4WXdG8sNCERVN7DC8w/aR/
ONCX8ZztrTmMkizNcLbLqsWyFvS423csHO3IM1q83zoCB1fFk3Q+Yz3XaTaN4gkn
14heGtN2gOyjMiQ6OE2/AJCiuGR0APF3mIPVJg/hj8xL+gDrtARNMjLjBl4tLSFL
k+jpnfFcXdzzlvs2coO9NIM2vMrNtywXLPKHeESElohjT/IAfQtCzBe51NO5Z8j8
YAV+f/vspB+cVP1x4r0r075ml3OgsZNSOjFRUNvk94likNLb/9dtiaq+IydW4i57
vbtkHUlqGgKyamd+cMud+2oScA/hdYIdW0DilXLLdpRxOkovHMKRcu/DngHLGICj
uH+SoHCVCNXfV3HDQaakxdUY0scz5Gi2Ff3x7rVtL8dOOLPwI3/b8QqviaWpds7b
9ygq+RUkVaPXN2Nn0NDuheQsdm6A+BM4IuFLBy5er6HzHPwz9UECG2w01O4fgeXn
+N5vbz8xxQ==
=jTbM
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds