On 08/11/15 18:11, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Sep 06, 2015 at 10:45:29PM +0200, Salvatore Bonaccorso wrote: >> Source: ganglia-web >> Version: 3.6.1-1 >> Severity: important >> Tags: security patch upstream >> >> Hi, >> >> the following vulnerability was published for ganglia-web. >> >> CVE-2015-6816[0]: >> ganglia-web auth bypass >> >> If you fix the vulnerability please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >> >> For further information see: >> >> [0] https://security-tracker.debian.org/tracker/CVE-2015-6816 >> [1] https://github.com/ganglia/ganglia-web/issues/267 > *ping*?
I did a review of the latest upstream releases (both ganglia-web and the ganglia agent) and there are some new JavaScript dependencies that need to be packaged https://cdnjs.cloudflare.com/ajax/libs/cubism/1.6.0/cubism.v1.min.js https://cdnjs.cloudflare.com/ajax/libs/protovis/3.3.1/protovis.min.js https://cdnjs.cloudflare.com/ajax/libs/jstree/3.2.1/jstree.min.js Given that we have given users of this package a disclaimer[1] about security support and advised them to protect the web interface with an ACL or HTTP authentication, how urgent is resolving this bug? Regards, Daniel 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702775
