Gentoo Archives: gentoo-announce

From: Aaron Bauman <bman@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201710-05 ] Munin: Arbitrary file write
Date: Sun, 08 Oct 2017 13:44:24
Message-Id: 8428791.Hr6DQ8OApn@localhost.localdomain
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201710-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Munin: Arbitrary file write
9 Date: October 08, 2017
10 Bugs: #610602
11 ID: 201710-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in Munin allows local attackers to overwrite any file
19 accessible to the www-data user.
20
21 Background
22 ==========
23
24 Munin is an open source server monitoring tool.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-analyzer/munin < 2.0.33 >= 2.0.33
33
34 Description
35 ===========
36
37 When Munin is compiled with CGI graphics enabled then the files
38 accessible to the www-data user can be overwritten.
39
40 Impact
41 ======
42
43 A local attacker, by setting multiple upper_limit GET parameters, could
44 overwrite files accessible to the www-user.
45
46 Workaround
47 ==========
48
49 There is no known workaround at this time.
50
51 Resolution
52 ==========
53
54 All Munin users should upgrade to the latest version:
55
56 # emerge --sync
57 # emerge --ask --oneshot --verbose ">=net-analyzer/munin-2.0.33"
58
59 References
60 ==========
61
62 [ 1 ] CVE-2017-6188
63 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6188
64
65 Availability
66 ============
67
68 This GLSA and any updates to it are available for viewing at
69 the Gentoo Security Website:
70
71 https://security.gentoo.org/glsa/201710-05
72
73 Concerns?
74 =========
75
76 Security is a primary focus of Gentoo Linux and ensuring the
77 confidentiality and security of our users' machines is of utmost
78 importance to us. Any security concerns should be addressed to
79 security@g.o or alternatively, you may file a bug at
80 https://bugs.gentoo.org.
81
82 License
83 =======
84
85 Copyright 2017 Gentoo Foundation, Inc; referenced text
86 belongs to its owner(s).
87
88 The contents of this document are licensed under the
89 Creative Commons - Attribution / Share Alike license.
90
91 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature