Package: xymon Version: 4.3.17-6+deb8u1 Severity: important Tags: patch Dear Maintainer,
the 4.3.17-6+deb8u1 release of the xymon package, uploaded as a security fix for (among other things) CVE-2016-2058, presumably backported the fix from an upstream development branch. The fix introduced a regression that renders parts of the Xymon interface unusable for us. Specifically, attempting to select "Edit critical systems" from the "Administration" menu of the Xymon web interface results in a 500 Internal Server Error, where one would instead expect Xymon's interface for editing the list of critical systems. Inspecting the Apache error logs reveal that the target CGI program (published at the URI /xymon-seccgi/criticaleditor.sh, ultimate source code in `web/criticaleditor.c`) enters into an infinite redirect loop, which causes Apache to abort the request after 10 iterations (Apache's default value). This issue was apparently fixed in `web/criticaleditor.c` by the upstream revision r7949: https://sourceforge.net/p/xymon/code/7949 We kindly ask you to consider amending the Debian stable package with this upstream fix, as this was not a problem in stable until the security fix was backported. Best regards, Morten Brekkevold -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xymon depends on: ii debconf [debconf-2.0] 1.5.56 ii libc-ares2 1.10.0-2 ii libc6 2.19-18+deb8u4 ii libldap-2.4-2 2:2.4.31-2+nmu2-openssl ii libpcre3 2:8.35-3.3+deb8u4 ii libpng12-0 1.2.50-2+deb8u2 ii librrd4 1.4.8-1.2 ii libssl1.0.0 1.0.1k-3+deb8u5 ii perl 5.20.2-3+deb8u6 ii xymon-client 4.3.17-6+deb8u1 Versions of packages xymon recommends: ii apache2 [httpd-cgi] 2.4.10-10+deb8u5 ii apache2-mpm-prefork [httpd-cgi] 2.4.10-10+deb8u5 Versions of packages xymon suggests: ii rrdtool 1.4.8-1.2 -- Configuration Files: /etc/hobbit/hobbit-alerts.cfg 91932af181874afd170f50d208590315 [Errno 2] No such file or directory: u'/etc/hobbit/hobbit-alerts.cfg 91932af181874afd170f50d208590315' /etc/hobbit/hobbit-clients.cfg 504e0005c163ffcd970ca1d585c742eb [Errno 2] No such file or directory: u'/etc/hobbit/hobbit-clients.cfg 504e0005c163ffcd970ca1d585c742eb' /etc/hobbit/hobbitlaunch.cfg d7c98bc3d6a0e3ffbec8e27e124c9fb7 [Errno 2] No such file or directory: u'/etc/hobbit/hobbitlaunch.cfg d7c98bc3d6a0e3ffbec8e27e124c9fb7' /etc/xymon/alerts.cfg changed [not included] /etc/xymon/analysis.cfg changed [not included] /etc/xymon/tasks.cfg changed [not included] -- debconf information excluded
