Your message dated Mon, 17 Jun 2019 08:48:39 +0000
with message-id <[email protected]>
and subject line Bug#927775: fixed in monit 1:5.25.2-3+deb10u1
has caused the Debian Bug report #927775,
regarding monit: CVE-2019-11454 CVE-2019-11455
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927775
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: monit
Version: 1:5.25.2-3
Severity: important
Tags: security upstream
Control: found -1 1:5.20.0-6
Hi,
The following vulnerabilities were published for monit.
CVE-2019-11454[0]:
| Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
| Monit before 5.25.3 allows a remote unauthenticated attacker to
| introduce arbitrary JavaScript via manipulation of an unsanitized user
| field of the Authorization header for HTTP Basic Authentication, which
| is mishandled during an _viewlog operation.
CVE-2019-11455[1]:
| A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit
| before 5.25.3 allows a remote authenticated attacker to retrieve the
| contents of adjacent memory via manipulation of GET or POST
| parameters. The attacker can also cause a denial of service
| (application outage).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11454
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11454
[1] https://security-tracker.debian.org/tracker/CVE-2019-11455
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11455
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: monit
Source-Version: 1:5.25.2-3+deb10u1
We believe that the bug you reported is fixed in the latest version of
monit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergey B Kirpichev <[email protected]> (supplier of updated monit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 17 Jun 2019 10:57:40 +0300
Source: monit
Binary: monit monit-dbgsym
Architecture: source amd64
Version: 1:5.25.2-3+deb10u1
Distribution: testing-proposed-updates
Urgency: medium
Maintainer: Sergey B Kirpichev <[email protected]>
Changed-By: Sergey B Kirpichev <[email protected]>
Description:
monit - utility for monitoring and managing daemons or similar programs
Closes: 927775
Changes:
monit (1:5.25.2-3+deb10u1) testing-proposed-updates; urgency=medium
.
* Backport upstream fixes (Closes: #927775):
+ CVE-2019-11454 Persistent cross-site scripting (XSS) in http/cervlet.c
+ CVE-2019-11455 A buffer over-read in Util_urlDecode in util.c
Checksums-Sha1:
7b71dc35a7ffc6b4d2d032741a1294713dd1b4df 1927 monit_5.25.2-3+deb10u1.dsc
2111f220f9ffbb2ec08fb69d4bec6ea4364e3fc4 30668
monit_5.25.2-3+deb10u1.debian.tar.xz
17f86c5c21bb6616fa24177940fad7cf86b1f96d 843700
monit-dbgsym_5.25.2-3+deb10u1_amd64.deb
5dff475a61c372f7656fe34c63083921d80859ac 5646
monit_5.25.2-3+deb10u1_amd64.buildinfo
85a20c108b4d5080957a85ef1e1ba4fab7f2cfda 327632
monit_5.25.2-3+deb10u1_amd64.deb
Checksums-Sha256:
e8fabd3f89d601edf5b823199efe945c624efb33e526dff803544d10fc1925b6 1927
monit_5.25.2-3+deb10u1.dsc
9874d8f6cca5f9a5b094b4e1e3441e0b3b7dd08555a8d6ef15b30260aed0f8a3 30668
monit_5.25.2-3+deb10u1.debian.tar.xz
5234ef9f4c51aacffd2c52e311ab3947873c93546d2904f391e699f7b9ab888c 843700
monit-dbgsym_5.25.2-3+deb10u1_amd64.deb
3b2d1ec88e3f0061135391cb518515413806014e28777619fd8c2c53a1efd351 5646
monit_5.25.2-3+deb10u1_amd64.buildinfo
95a956e182d20e70471f1534ebb2de0ea6c02138e53aa4d551a1ea0e41e08d5a 327632
monit_5.25.2-3+deb10u1_amd64.deb
Files:
1bf0f6b4f94a78fc3b76cd9a1631d694 1927 admin optional monit_5.25.2-3+deb10u1.dsc
3b73753bafa52de32cc9d3704e00ea40 30668 admin optional
monit_5.25.2-3+deb10u1.debian.tar.xz
fb0b1435180817e34eeaafbb70a14b2f 843700 debug optional
monit-dbgsym_5.25.2-3+deb10u1_amd64.deb
059fbff6526ad1bc8986a795eafd34a0 5646 admin optional
monit_5.25.2-3+deb10u1_amd64.buildinfo
4a803d162088bf3f74184f7650ed56b0 327632 admin optional
monit_5.25.2-3+deb10u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE22Z64ufHku9jdO/fOcmgtkAmKvAFAl0HT0kACgkQOcmgtkAm
KvCnvg//Squ32btS/wygAF/Cu6aYR7vDlFO9WqRqN/f38cXBKyhxSpbFtrk9RwnC
xFiHdNIaaBZI9XGRvet9blv7u3RRCj1yZ4o555M3lT0mg3nyKUToDowKAs30Ity2
H2wCPLj8z9fcaBi34xqVVwJgpHgXE3femHJbBGKvSncySaIpYIqPFnjQd/aDZf+/
GcuQ067m7DC14MqG11QQdHbT7ISVAlLS0T6Pa431gacVcyvRabNnpVGOwB8bcF8J
tp3VooY90Jco/afbFNJViLtkxKoCiAuspDTJIW4qHnRmmtDlVOij+XYmE8w+50ew
xynkrykczcRv+sddQho+nJH4gPUT2R33Dq9p5gtFI0NP00iIunqyGV94TYMhFAA9
CudeAitGg2MoudUIf0ef8s6wGqhHGzmgpVEceErmkcl1G+n+rhGPwUe9zmU9bD4p
Cn0lLnfo7PemdkgKkDtwCRf3Mj/G8VoYR8t35wJDlAxw+AocE7knJV6AyR2UEuft
wiPEpn3o9Z15+dL8A/bTnaJZBFdgOCjvUlq8zZsYmkACsmSNGuSFhPgpXr1qnLV6
CA3ODmvZrEn0l4yGhKUc8ahvQ/l1L/WH+9sQ29bqRK02Ua1bdDOrnHBEta+Fyrml
o+BKKglqmPbPuLc2IljrNvvHx+ktRZZZlgKn7O/31UpO1oPpahY=
=GrSA
-----END PGP SIGNATURE-----
--- End Message ---
