Ubuntu

“munin” 2.0.2-1ubuntu2.2 source package in The Quantal Quetzal

Publishing history

2.0.2-1ubuntu2.2
SUPERSEDED: Quantal pocket Updates in component main and section net
2.0.2-1ubuntu2.2
SUPERSEDED: Quantal pocket Security in component main and section net
2.0.2-1ubuntu2.2
DELETED: Quantal pocket Proposed in component main and section net

Changelog

munin (2.0.2-1ubuntu2.2) quantal-security; urgency=low

  * SECURITY UPDATE: privilege escalation via root running plugins
    - debian/patches/CVE-2012-3512.patch: run each plugin in their own
      state directory in Makefile, Makefile.config,
      node/lib/Munin/Node/{OS,Service}.pm, plugins/lib/Munin/Plugin.pm,
      plugins/node.d/*.in,plugins/node.d.linux/*.in.
    - CVE-2012-3512
  * SECURITY UPDATE: remote code exection via bad arguments
    - debian/patches/CVE-2012-3513.patch: use MUNIN_CONFIG env variable
      instead of @ARGV to specify alternate config file in
      master/_bin/munin-cgi-graph.in, master/_bin/munin-cgi-html.in.
    - debian/patches/CVE-2012-3512-regression.patch: Don't rely on
      MUNIN_PLUGSTATE being in the environment as these scripts also get
      run by a cron job in plugins/node.d.linux/apt_all.in,
      plugins/node.d.linux/apt.in.
    - CVE-2012-3513
  * debian/rules: actually apply quilt patches.
  * debian/Makefile.config: added new plugin state directory location.
  * debian/munin-node.{postinst,postrm}: Switch to new plugin state
    directory.
 -- Marc Deslauriers <email address hidden>   Wed, 17 Oct 2012 08:16:34 -0400