pool/munin
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 460029 from home:wrosenauer:devel

Browse Source 
- fix CVE-2017-6188: munin-cgi-graph local file write vulnerability
  (boo#1026539, CVE-2017-6188-fix-parameter-injection.patch)

- update to version 2.0.30
  Bugfix releases (closes the following issues since 2.0.25)
  2.0.26: Closes: D:761190, GH:426
  2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714
  2.0.29: Closes: D:847649, D:849383
  2.0.30: Closes: GH:745, GH:771, GH:783

OBS-URL: https://build.opensuse.org/request/show/460029
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/munin?expand=0&rev=29
This commit is contained in:
Aeneas Jaißle 2017-03-02 13:20:39 +00:00 committed by Git OBS Bridge
parent 4c4a818972
commit 40db143d15
5 changed files with 53 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2017-6188-fix-parameter-injection.patch Normal file
View File

@ -0,0 +1,29 @@
From: Tomaž Šolc <tomaz.solc@tablix.org>
Date: Tue, 21 Feb 2017 14:42:26 +0100
Subject: CVE-2017-6188: munin-cgi-graph local file write vulnerability
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705
boo#1026539
Upstream: https://github.com/munin-monitoring/munin/issues/721
Index: munin-2.0.25/master/_bin/munin-cgi-graph.in
===================================================================
--- munin-2.0.25.orig/master/_bin/munin-cgi-graph.in
+++ munin-2.0.25/master/_bin/munin-cgi-graph.in
@@ -447,13 +447,13 @@ sub draw_graph {
'--output-file', $filename );
# Sets the correct size on a by_graph basis
- push @params, "--size_x", CGI::param("size_x")
+ push @params, "--size_x", scalar CGI::param("size_x")
if (defined(CGI::param("size_x")));
- push @params, "--size_y", CGI::param("size_y")
+ push @params, "--size_y", scalar CGI::param("size_y")
if (defined(CGI::param("size_y")));
- push @params, "--upper_limit", CGI::param("upper_limit")
+ push @params, "--upper_limit", scalar CGI::param("upper_limit")
if (CGI::param("upper_limit"));
- push @params, "--lower_limit", CGI::param("lower_limit")
+ push @params, "--lower_limit", scalar CGI::param("lower_limit")
if (CGI::param("lower_limit"));
# Sometimes we want to set the IMG size, and not the canvas.

3
munin-2.0.25.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6832bc5839d03639e4309178d9370697fc8a80a83d9b6653953f40161e949694
size 1337586

3
munin-2.0.30.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c6be23035c31ab6b7910ae1080159ae8263759f783a1b10002f44456c4aace61
size 1342168

16
munin.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Thu Feb 23 12:33:21 UTC 2017 - wr@rosenauer.org
- fix CVE-2017-6188: munin-cgi-graph local file write vulnerability
(boo#1026539, CVE-2017-6188-fix-parameter-injection.patch)
-------------------------------------------------------------------
Sun Feb 19 16:08:24 UTC 2017 - wr@rosenauer.org
- update to version 2.0.30
Bugfix releases (closes the following issues since 2.0.25)
2.0.26: Closes: D:761190, GH:426
2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714
2.0.29: Closes: D:847649, D:849383
2.0.30: Closes: GH:745, GH:771, GH:783
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 17 13:04:06 UTC 2017 - bwiedemann@suse.com Tue Jan 17 13:04:06 UTC 2017 - bwiedemann@suse.com

8
munin.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package munin # spec file for package munin
# #
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -24,7 +24,7 @@
%define active_by_default 0 %define active_by_default 0
Name: munin Name: munin
Version: 2.0.25 Version: 2.0.30
Release: 0 Release: 0
Summary: Network-wide graphing framework (grapher/gatherer) Summary: Network-wide graphing framework (grapher/gatherer)
License: GPL-2.0 License: GPL-2.0
@ -48,6 +48,7 @@ Source13: gsa-munin.zip
# https://svn.koumbit.net/koumbit/trunk/munin-plugins/quota-usage # https://svn.koumbit.net/koumbit/trunk/munin-plugins/quota-usage
Patch: munin-plugin-quota_usage_warnings.patch Patch: munin-plugin-quota_usage_warnings.patch
Patch2: mysql55.patch Patch2: mysql55.patch
Patch3: CVE-2017-6188-fix-parameter-injection.patch
BuildRequires: html2text BuildRequires: html2text
BuildRequires: perl-HTML-Template BuildRequires: perl-HTML-Template
BuildRequires: perl-Log-Log4perl BuildRequires: perl-Log-Log4perl
@ -100,10 +101,10 @@ RRDtool.
%package node %package node
Summary: Network-wide graphing framework (node) Summary: Network-wide graphing framework (node)
Group: System/Monitoring
# some scripts need logtail which is part of package logdigest in openSUSE # some scripts need logtail which is part of package logdigest in openSUSE
# problem with logdigest is that it installs a cronjob for itself which # problem with logdigest is that it installs a cronjob for itself which
# might be unwanted # might be unwanted
Group: System/Monitoring
Recommends: logdigest Recommends: logdigest
Requires: perl-HTML-Template Requires: perl-HTML-Template
Requires: perl-Log-Log4perl Requires: perl-Log-Log4perl
@ -153,6 +154,7 @@ unzip %{SOURCE12}
unzip %{SOURCE13} unzip %{SOURCE13}
%patch %patch
%patch2 -p1 %patch2 -p1
%patch3 -p1
%build %build
%__make HOSTNAME=yourhostname %__make HOSTNAME=yourhostname