Paket munin sadrži ranjivosti

U radu paketa munin otkrivene su ranjivosti koje su uklonjene najnovijom sigurnosnom zakrpom. Radi se o propustu koji omogućuje stjecanje većih privilegija uz nekoliko drugih ne-sigurnosnih pogrešaka aplikacije.
Paket:	munin 2.x
Operacijski sustavi:	Fedora 16, Fedora 17
Problem:	neodgovarajuća provjera ulaznih podataka
Iskorištavanje:	lokalno/udaljeno
Posljedica:	dobivanje većih privilegija
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2012-3512
Izvorni ID preporuke:	FEDORA-2012-13649
Izvor:	Fedora

Problem:
Propust je uzrokovan nepravilnim rukovanjem postavkama aplikacije.
Posljedica:
Napadač bi mogao steći povišene privilegije.
Rješenje:
Svim se korisnicima savjetuje instalacija nadogradnji.
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-13649
2012-09-09 02:07:25
--------------------------------------------------------------------------------

Name        : munin
Product     : Fedora 16
Version     : 2.0.6
Release     : 2.fc16
URL         : http://munin-monitoring.org/
Summary     : Network-wide graphing framework (grapher/gatherer)
Description :
Munin is a highly flexible and powerful solution used to create graphs
of virtually everything imaginable throughout your network, while still
maintaining a rattling ease of installation and configuration.

This package contains the grapher/gatherer. You will only need one instance of
it in your network. It will periodically poll all the nodes in your network
it's aware of for data, which it in turn will use to create graphs and HTML
pages, suitable for viewing with your graphical web browser of choice.

Munin is written in Perl, and relies heavily on Tobi Oetiker's excellent
RRDtool.

--------------------------------------------------------------------------------
Update Information:

added DBDIRNODE for munin-node and remove File::Path as it is no longer needed.
Update to 2.0.6, and bug fixes
Added init files for asyncd
Updated to 2.0.5
Update to munin 2
--------------------------------------------------------------------------------
ChangeLog:

* Sat Sep  8 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.6-2
- node: remove File::Path as it is no longer needed.
- added DBDIRNODE for munin-node.
* Fri Aug 31 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.6-1
- BZ# 851375 Replace @@GOODSH@@ in epel init scripts
- BZ# 849831,849834 CVE-2012-3512 munin: insecure state file handling,
munin->root privilege [fedora-all]
* Mon Aug 20 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.5-3
- rebuilt for epel
* Tue Aug 14 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.5-2
- Added munin-asyncd init files
* Tue Aug 14 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.5-1
- Updated to 2.0.5
- BZ# 603344 / upstream 1180, ACPI thermal information changed with 3.x kernels
* Tue Aug  7 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.4-3
- BZ# 823533 "hddtemp_smartctl plugin has a bug" - upstream patched
- BZ# 825820 Munin memcache plugin requires "perl(Cache::Memcached)"
- BZ# 834055 Munin updates changing permissions, conflicts with what munin-check
does
- BZ# 812893,812894,839786,840496 - updated to munin2
* Sun Aug  5 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.4-2
- Changing permissions on html directories to minimize cron messages.
* Sat Aug  4 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.4-1
- updated to 2.0.4
- backported el6 packaging items
* Tue Jul 24 2012 Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite. - 2.0.3-1
- Adjust default conf.d entry.
- updated to 2.0.3
* Fri Jul 20 2012 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
2.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jul 19 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.2-2
- fixed conflicts
* Sat Jul 14 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.2-1
- updated to 2.0.2
* Thu Jun  7 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.0-1
- initial 2.0 release
* Fri May 18 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-5
- BZ# 822992 Including GCTime.java.patch
- BZ# 747663 Include older cpuspeed.in for older kernels
- BZ# 822894 Requires: perl-Net-CIDR
- BZ# 746083 Append user=munin for munin-node plugins
- BZ# 821912 Move htaccess to httpd/conf.d/munin.conf for easier administration
* Sun May 13 2012 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-4
- Fix ownership on /var/run/munin. Fixes bug #821204
* Tue Apr 24 2012 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-3
- A better for for 811867 with triggers.
- Fix directory conflict. Fixes bug #816340
- Fix path in java plugin. Fixes bug #816570
* Sun Apr 15 2012 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-2
- Fix node postun from messing up plugins on upgrade. Works around bug #811867
* Wed Mar 14 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-1
- updated for 1.4.7 release
* Wed Feb 22 2012 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.4.6-8
- Build against java-1.7.0 now. Fixes bug #796345
* Tue Jan 31 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.6-7
- Create state file for yum-plugin. Fixes BZ #786030.
* Fri Jan 20 2012 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.6-6
- Add PrivateTmp=true to systemd unit file. Fixes bug #782512
- Change logrotate to use munin user. Fixes bug #771017
* Fri Jan 13 2012 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
1.4.6-5.3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Mon Oct 17 2011 Stanislav Ochotnicky <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.6-4.3
- Rebuild for java 1.6.0 downgrade (fesco ticket 663)
* Sat Aug 27 2011 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.6-4.1
- Add patch to run restorecon in the sysvinit script.
- This doesn't matter on f16+
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #851375 - -bash: /etc/init.d/munin-asyncd: @@GOODSH@@: bad
interpreter: No such file or directory
        https://bugzilla.redhat.com/show_bug.cgi?id=851375
  [ 2 ] Bug #849831 - CVE-2012-3512 munin: insecure state file handling,
munin->root privilege [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=849831
  [ 3 ] Bug #849834 - CVE-2012-3512 munin: insecure state file handling,
munin->root privilege [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=849834
  [ 4 ] Bug #603344 - On install, Fedora selected all Linux swap partitions and
entered them for mounting in fstab
        https://bugzilla.redhat.com/show_bug.cgi?id=603344
  [ 5 ] Bug #823533 - hddtemp_smartctl plugin has a bug
        https://bugzilla.redhat.com/show_bug.cgi?id=823533
  [ 6 ] Bug #825820 - Libvirt is missing important hooks
        https://bugzilla.redhat.com/show_bug.cgi?id=825820
  [ 7 ] Bug #834055 - Munin updates changing permissions, conflicts with what
munin-check does
        https://bugzilla.redhat.com/show_bug.cgi?id=834055
  [ 8 ] Bug #812893 - munin various flaws [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=812893
  [ 9 ] Bug #812894 - munin various flaws [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=812894
  [ 10 ] Bug #839786 - RFE: Update munin to 2.0.x release
        https://bugzilla.redhat.com/show_bug.cgi?id=839786
  [ 11 ] Bug #840496 - Update to upstream 2.0.2
        https://bugzilla.redhat.com/show_bug.cgi?id=840496
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update munin' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-13683
2012-09-09 02:09:54
--------------------------------------------------------------------------------

Name        : munin
Product     : Fedora 17
Version     : 2.0.6
Release     : 2.fc17
URL         : http://munin-monitoring.org/
Summary     : Network-wide graphing framework (grapher/gatherer)
Description :
Munin is a highly flexible and powerful solution used to create graphs
of virtually everything imaginable throughout your network, while still
maintaining a rattling ease of installation and configuration.

This package contains the grapher/gatherer. You will only need one instance of
it in your network. It will periodically poll all the nodes in your network
it's aware of for data, which it in turn will use to create graphs and HTML
pages, suitable for viewing with your graphical web browser of choice.

Munin is written in Perl, and relies heavily on Tobi Oetiker's excellent
RRDtool.

--------------------------------------------------------------------------------
Update Information:

added DBDIRNODE for munin-node and remove File::Path as it is no longer needed.
Update to 2.0.6, and bug fixes
Added init files for asyncd
Updated to 2.0.5
Update to munin 2
--------------------------------------------------------------------------------
ChangeLog:

* Sat Sep  8 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.6-2
- node: remove File::Path as it is no longer needed.
- added DBDIRNODE for munin-node.
* Fri Aug 31 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.6-1
- BZ# 851375 Replace @@GOODSH@@ in epel init scripts
- BZ# 849831,849834 CVE-2012-3512 munin: insecure state file handling,
munin->root privilege [fedora-all]
* Mon Aug 20 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.5-3
- rebuilt for epel
* Tue Aug 14 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.5-2
- Added munin-asyncd init files
* Tue Aug 14 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.5-1
- Updated to 2.0.5
- BZ# 603344 / upstream 1180, ACPI thermal information changed with 3.x kernels
* Tue Aug  7 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.4-3
- BZ# 823533 "hddtemp_smartctl plugin has a bug" - upstream patched
- BZ# 825820 Munin memcache plugin requires "perl(Cache::Memcached)"
- BZ# 834055 Munin updates changing permissions, conflicts with what munin-check
does
- BZ# 812893,812894,839786,840496 - updated to munin2
* Sun Aug  5 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.4-2
- Changing permissions on html directories to minimize cron messages.
* Sat Aug  4 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.4-1
- updated to 2.0.4
- backported el6 packaging items
* Tue Jul 24 2012 Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite. - 2.0.3-1
- Adjust default conf.d entry.
- updated to 2.0.3
* Fri Jul 20 2012 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
2.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jul 19 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.2-2
- fixed conflicts
* Sat Jul 14 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.2-1
- updated to 2.0.2
* Thu Jun  7 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.0-1
- initial 2.0 release
* Fri May 18 2012 D. Johnson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-5
- BZ# 822992 Including GCTime.java.patch
- BZ# 747663 Include older cpuspeed.in for older kernels
- BZ# 822894 Requires: perl-Net-CIDR
- BZ# 746083 Append user=munin for munin-node plugins
- BZ# 821912 Move htaccess to httpd/conf.d/munin.conf for easier administration
* Sun May 13 2012 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-4
- Fix ownership on /var/run/munin. Fixes bug #821204
* Tue Apr 24 2012 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.7-3
- A better for for 811867 with triggers.
- Fix directory conflict. Fixes bug #816340
- Fix path in java plugin. Fixes bug #816570
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #851375 - -bash: /etc/init.d/munin-asyncd: @@GOODSH@@: bad
interpreter: No such file or directory
        https://bugzilla.redhat.com/show_bug.cgi?id=851375
  [ 2 ] Bug #849831 - CVE-2012-3512 munin: insecure state file handling,
munin->root privilege [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=849831
  [ 3 ] Bug #849834 - CVE-2012-3512 munin: insecure state file handling,
munin->root privilege [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=849834
  [ 4 ] Bug #603344 - On install, Fedora selected all Linux swap partitions and
entered them for mounting in fstab
        https://bugzilla.redhat.com/show_bug.cgi?id=603344
  [ 5 ] Bug #823533 - hddtemp_smartctl plugin has a bug
        https://bugzilla.redhat.com/show_bug.cgi?id=823533
  [ 6 ] Bug #825820 - Libvirt is missing important hooks
        https://bugzilla.redhat.com/show_bug.cgi?id=825820
  [ 7 ] Bug #834055 - Munin updates changing permissions, conflicts with what
munin-check does
        https://bugzilla.redhat.com/show_bug.cgi?id=834055
  [ 8 ] Bug #812893 - munin various flaws [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=812893
  [ 9 ] Bug #812894 - munin various flaws [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=812894
  [ 10 ] Bug #839786 - RFE: Update munin to 2.0.x release
        https://bugzilla.redhat.com/show_bug.cgi?id=839786
  [ 11 ] Bug #840496 - Update to upstream 2.0.2
        https://bugzilla.redhat.com/show_bug.cgi?id=840496
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update munin' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Paket munin sadrži ranjivosti

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Paket munin sadrži ranjivosti

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti
