Back to xymon PTS page

Accepted xymon 4.3.0~beta2.dfsg-9.1+deb7u1 (source amd64) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted xymon 4.3.0~beta2.dfsg-9.1+deb7u1 (source amd64) into oldstable
From: dak@security.debian.org
Date: Wed, 25 May 2016 16:50:11 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1b5c0Z-0006iL-Np@seger.debian.org>
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 25 May 2016 18:11:39 +0200
Source: xymon
Binary: xymon xymon-client
Architecture: source amd64
Version: 4.3.0~beta2.dfsg-9.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Christoph Berg <myon@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description: 
 xymon      - monitoring system for systems, networks and applications
 xymon-client - client for the Xymon network monitor
Changes: 
 xymon (4.3.0~beta2.dfsg-9.1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2016-2054:
     Markus Krell discovered multiple buffer overflows in hobbitd/hobbitd.c in
     xymond/hobbitd before 4.3.25 that allow remote attackers to execute
     arbitrary code or cause a denial of service (daemon crash) via a long
     filename, involving handling a "config" command.
   * Fix CVE-2016-2055: Access to possibly confidential files in the Xymon
     configuration directory.
     hobbitd/hobbitd.c in xymond/hobbitd before 4.3.25 allows remote attackers
     to read arbitrary files in the configuration directory via a "config"
     command.
   * Fix CVE-2016-2056:
     hobbitd in Xymon before 4.3.25 allows remote authenticated users to execute
     arbitrary commands via shell metacharacters in the adduser_name argument in
     (1) web/useradm.c or (2) web/chpasswd.c.
   * Fix CVE-2016-2058:
     Multiple cross-site scripting (XSS) vulnerabilities in before 4.3.25 allow
     (1) remote Xymon clients to inject arbitrary web script or HTML via a
     status-message, which is not properly handled in the "detailed status"
     page, or (2) remote authenticated users to inject arbitrary web script or
     HTML via an acknowledgement message, which is not properly handled in the
     "status" page.
Checksums-Sha1: 
 3af150afc1ac26888d0c8963905b3e8a504bedb4 2192 xymon_4.3.0~beta2.dfsg-9.1+deb7u1.dsc
 da7e5fab86b4620f0040975f1fb9050198084557 2400680 xymon_4.3.0~beta2.dfsg.orig.tar.gz
 fe9e4d234c29efdb50822a9f3a0deeb4cd9c3132 46932 xymon_4.3.0~beta2.dfsg-9.1+deb7u1.diff.gz
 d3df6ddfe6940ae07bfaeadacbafa61b999b756f 4144572 xymon_4.3.0~beta2.dfsg-9.1+deb7u1_amd64.deb
 5fa01427acaa842f96eab003f18a88b492319d67 429868 xymon-client_4.3.0~beta2.dfsg-9.1+deb7u1_amd64.deb
Checksums-Sha256: 
 394efdfbcff3855a664870a1c6c499ba717eed89ebe1c5419ac0dd9f937766e9 2192 xymon_4.3.0~beta2.dfsg-9.1+deb7u1.dsc
 a17b854df547cd2bba420f11b64ef3f040e5aed190d19918d5bd97ae573b30bf 2400680 xymon_4.3.0~beta2.dfsg.orig.tar.gz
 020707ef6aa10eae24443e70d00563ac3edc983bdcf70519d1e0d4528b5fc1e5 46932 xymon_4.3.0~beta2.dfsg-9.1+deb7u1.diff.gz
 68cf36e1c30b275cc4ae8eb91f3da3c31d9462087c6b472a2134a6e40fae1385 4144572 xymon_4.3.0~beta2.dfsg-9.1+deb7u1_amd64.deb
 e85f88f96b7d0e0ece0a8524db955a612ade88b6c4220a58fcadaf344ab8d65f 429868 xymon-client_4.3.0~beta2.dfsg-9.1+deb7u1_amd64.deb
Files: 
 e142d3e9d257ba25a3ffab2dec366595 2192 net extra xymon_4.3.0~beta2.dfsg-9.1+deb7u1.dsc
 8347c3d56f4997d2cba6513ec7579779 2400680 net extra xymon_4.3.0~beta2.dfsg.orig.tar.gz
 ceb7a4a90d480adf6ba87d4420875100 46932 net extra xymon_4.3.0~beta2.dfsg-9.1+deb7u1.diff.gz
 1ea51fc9cbbaa888d2ebd7df99f543c8 4144572 net extra xymon_4.3.0~beta2.dfsg-9.1+deb7u1_amd64.deb
 1e185c734d68c08d24dd48e25cbeee9e 429868 net extra xymon-client_4.3.0~beta2.dfsg-9.1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJXRdYtXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkiJMP/0wkg1/JH12boIfq2nT67J/R
ZHRnrUm9bH5dkjj+bxXfk86n7TkYJ4U9BK5sK8wsTdmR1U7HwlOH//0tq4g2ynCR
nqZ3mxw5ARbgMabru5IpEdrPDHosckm/2ERXD70yocIGo4mauRJWK/i0JlUpblTf
zaY7zFRRh24lD2d6FcozH5kjRa1TyoemGEcDCvA25O2dMEnrwCQG3f9cgxTclQdC
UVQEjY2DlRB4oGAVNFmlRXWfMDvzA0NWR87QbqKZOFM+rFi8ZP8o2J0kl+JdQNyC
Tzu0N9kv99msp15XY3EXKCrFhIZpbWAf9sxR+zMr6OzzFbSjX4Zd/+QfGlheBQXl
LggX8eULXEpQPOHEMxVDO8vPbqjq7gb4ryZ1/sSxNR+oP9K0rKWUNbp1HQJhtWW+
ODf4/e4mZKNtFdbiZpKOrNb4LgPZ/nNj2bjDjRayEyGJZpC177pRu+g9iGvxe8en
9fTXDT0GEV9FNA8RXNVzayBLgINdGy3FTJ9GJGJgz3/5zJwIvN2IBwZD4E26aFrh
xrs6GAb9D0APL5H1SznBiUJUT05c1hi9pVom9Ur9NW/Lh/yfLCLWHT4BO8N4exvD
+laOtkLzsYqifsvzL9/IPz/SanBoYi1eOFqQMZJgwPkTxSritG9WcRSkWE9EOoBz
PsZvrpMZZW1Scixj0EV2
=4QJB
-----END PGP SIGNATURE-----