[DLA 20-1] munin security update

2014-08-0714:50:43

lists.debian.org

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.007 Low

EPSS

Percentile

80.1%

JSON

Package : munin
Version : 1.4.5-3+deb6u1
CVE ID : CVE-2012-3512 CVE-2013-6048 CVE-2013-6359

[ Christoph Biedl ]

munin-node: more secure state file handling, introducing a new plugin
state directory root, owned by uid 0. Then each plugin runs in its own
UID plugin state directory, owned by that UID. (Closes: #684075),
(Closes: #679897), closes CVE-2012-3512.
plugins: use runtime $ENV{MUNIN_PLUGSTATE}. So all properly written
plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now -
please report plugins that are still using /var/lib/munin/plugin-state/ -
as those might pose a security risk!
Validate multigraph plugin name, CVE-2013-6048.
Don't abort data collection for a node due to malicious node, fixing
munin#1397, CVE-2013-6359.

OSVersionArchitecturePackageVersionFilename
Debian6allmunin-common< 1.4.5-3+deb6u1munin-common_1.4.5-3+deb6u1_all.deb
Debian6allmunin-java-plugins< 1.4.5-3+deb6u1munin-java-plugins_1.4.5-3+deb6u1_all.deb
Debian6allmunin< 1.4.5-3+deb6u1munin_1.4.5-3+deb6u1_all.deb
Debian6allmunin-node< 1.4.5-3+deb6u1munin-node_1.4.5-3+deb6u1_all.deb
Debian6allmunin-plugins-extra< 1.4.5-3+deb6u1munin-plugins-extra_1.4.5-3+deb6u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	munin-common	< 1.4.5-3+deb6u1	munin-common_1.4.5-3+deb6u1_all.deb
Debian	6	all	munin-java-plugins	< 1.4.5-3+deb6u1	munin-java-plugins_1.4.5-3+deb6u1_all.deb
Debian	6	all	munin	< 1.4.5-3+deb6u1	munin_1.4.5-3+deb6u1_all.deb
Debian	6	all	munin-node	< 1.4.5-3+deb6u1	munin-node_1.4.5-3+deb6u1_all.deb
Debian	6	all	munin-plugins-extra	< 1.4.5-3+deb6u1	munin-plugins-extra_1.4.5-3+deb6u1_all.deb