Your message dated Wed, 20 Sep 2017 07:00:14 +0000
with message-id <e1duyzw-0003re...@fasolo.debian.org>
and subject line Bug#865497: fixed in check-mk 1.4.0p9-1
has caused the Debian Bug report #865497,
regarding check-mk: CVE-2017-9781: reflected XSS in webapi.py
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
865497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865497
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: check-mk
Version: 1.2.8p16-1
Severity: grave
Tags: patch upstream security
Justification: user security hole
Hi,
the following vulnerability was published for check-mk.
CVE-2017-9781[0]:
| A cross site scripting (XSS) vulnerability exists in Check_MK versions
| 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to
| inject arbitrary HTML or JavaScript via the _username parameter when
| attempting authentication to webapi.py, which is returned unencoded
| with content type text/html.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: check-mk
Source-Version: 1.4.0p9-1
We believe that the bug you reported is fixed in the latest version of
check-mk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matt Taggart <tagg...@debian.org> (supplier of updated check-mk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Jun 2017 15:44:37 -0700
Source: check-mk
Binary: check-mk-agent check-mk-agent-logwatch check-mk-server
check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc
check-mk-common check-mk-monitoring-plugins
Architecture: source all amd64
Version: 1.4.0p9-1
Distribution: experimental
Urgency: high
Maintainer: Debian Nagios Maintainer Group
<pkg-nagios-de...@lists.alioth.debian.org>
Changed-By: Matt Taggart <tagg...@debian.org>
Description:
check-mk-agent - general purpose monitoring plugin for retrieving data
check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data
check-mk-common - general purpose monitoring plugin for retrieving data
(common lib
check-mk-config-icinga - general purpose monitoring plugin for retrieving data
check-mk-doc - general purpose monitoring plugin for retrieving data
(documentat
check-mk-livestatus - general purpose monitoring plugin for retrieving data
check-mk-monitoring-plugins - general purpose monitoring plugin for retrieving
data (monitoring
check-mk-multisite - general purpose monitoring plugin for retrieving data
check-mk-server - general purpose monitoring plugin for retrieving data
Closes: 865497
Changes:
check-mk (1.4.0p9-1) experimental; urgency=high
.
* new upstream release
* fixes CVE-2017-9781 (Closes: #865497)
* move to the way upstream now does defaults
* add new librrd-dev, libboost-dev, libboost-system-dev, g++-6 build-deps
* new -common package for private python libs
Checksums-Sha1:
5c431d542e1ae9276f7959af6e9c290c8925540b 2811 check-mk_1.4.0p9-1.dsc
00d4c64f2051e8f432d9e0df7d5d5bcf2a6a00e0 22948802 check-mk_1.4.0p9.orig.tar.gz
4ce803f8d0a55e23c564d2e5865c26557312f7a0 13929 check-mk_1.4.0p9-1.diff.gz
ef3997b2ce59252627f3710099a44c799ed5a878 208186
check-mk-agent-logwatch_1.4.0p9-1_all.deb
1fe35779e21d44c24a94747691839f9f30659f5e 215670
check-mk-agent_1.4.0p9-1_amd64.deb
327a5ec94f795a65f48e8f735b47eba6e8ad9579 238758
check-mk-common_1.4.0p9-1_all.deb
5a89caace1dd5ff52cd75a65d218a91800cba12b 211144
check-mk-config-icinga_1.4.0p9-1_amd64.deb
ff63b5cdfcefaeda322c336b5f582b3ef5474b1e 990782 check-mk-doc_1.4.0p9-1_all.deb
2b333340e942a44956d05915e3ffc2b1097c33a1 90412
check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb
78b6f1d7d6446e2fb638e428f9378fefa02b79c1 969002
check-mk-livestatus_1.4.0p9-1_amd64.deb
ef2a2017a8aaacdc718b7a2e3e092412bb0a6b62 227060
check-mk-monitoring-plugins_1.4.0p9-1_all.deb
cafe122bf1f9b8d147d83b693ecfcd921d42d61b 3627048
check-mk-multisite_1.4.0p9-1_amd64.deb
57e80514a433695485b65189c827eb3388b40090 1125142
check-mk-server_1.4.0p9-1_amd64.deb
e59a7740ed65b90b91f97e3e47edec9beac236d0 10228
check-mk_1.4.0p9-1_amd64.buildinfo
Checksums-Sha256:
3e4f3b1ee98d9ac6dd6e69f281b3ba915021c87f8549919984c123e5f57ec624 2811
check-mk_1.4.0p9-1.dsc
23de4ba908353badd64447683df902c472dc864e0de57177010697b1e7bfaeb6 22948802
check-mk_1.4.0p9.orig.tar.gz
5610b15ea17335fc57be26fed7d45fd2fc073815bb4763b8b7d88336a25395a8 13929
check-mk_1.4.0p9-1.diff.gz
b85bf8da7cf601cdd71e3a080b4c1908b7b7ddae9ec1ba7a0ed597f027b21519 208186
check-mk-agent-logwatch_1.4.0p9-1_all.deb
4ca436fb6911c0ae3cd1c097b032b01731245238bd3ef6729f9d9f3bb8e11265 215670
check-mk-agent_1.4.0p9-1_amd64.deb
dda04934e5b3587ffd7b4423a6f10383a44b52a116a9ac47d7145433add9ed66 238758
check-mk-common_1.4.0p9-1_all.deb
fbedfd3d17a68660f70730c01fa33b701176e590cbc9fba9e2c5e0bfeb9c9a5d 211144
check-mk-config-icinga_1.4.0p9-1_amd64.deb
487e8ce75885b6bc9d4c07ea9cd69617a742b0ed00a5cf676383db40900045ad 990782
check-mk-doc_1.4.0p9-1_all.deb
10d17d5e20d2679a8a027dab5429a4c669312de7e431ddf45da702de597d514e 90412
check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb
0870e75947bf79e2900d8773acf9d7fdf104c4f21c25e74bf7d2c0f86e44fc5c 969002
check-mk-livestatus_1.4.0p9-1_amd64.deb
065889f7db3179b914ee0c305d1b7850677e6eacc1d628f89d18349f20c623fc 227060
check-mk-monitoring-plugins_1.4.0p9-1_all.deb
d0bf34d5949505246f38bc5763ed5aa160c7e6180b0ab770f1ab8c2e4a0ce3b4 3627048
check-mk-multisite_1.4.0p9-1_amd64.deb
20ce31bd6610296587b6d95e429cd6fd15b4c1d0abc42a47e4011e283ec92516 1125142
check-mk-server_1.4.0p9-1_amd64.deb
acf5b7141a7fe28088fe41661ddacbe3c58b01bc31199e4b1153afabb15b0a5e 10228
check-mk_1.4.0p9-1_amd64.buildinfo
Files:
8de6958ac2a10fa2589d4d68b8187284 2811 admin optional check-mk_1.4.0p9-1.dsc
21c12bb2f2f06ab94e4592ba851e299b 22948802 admin optional
check-mk_1.4.0p9.orig.tar.gz
d2e47a13a5ca0cf8d057f382e537781a 13929 admin optional
check-mk_1.4.0p9-1.diff.gz
7cc8cdec461364db1c0104dfd211d1eb 208186 admin optional
check-mk-agent-logwatch_1.4.0p9-1_all.deb
8fb8629d782d3d66b38360925f200eb0 215670 admin optional
check-mk-agent_1.4.0p9-1_amd64.deb
f1997faec099c709e357af1d9cafb6da 238758 python optional
check-mk-common_1.4.0p9-1_all.deb
24e7af3482e0d165a408a52e8b12057f 211144 admin optional
check-mk-config-icinga_1.4.0p9-1_amd64.deb
94d123460e6769c06a552ed03425a12f 990782 doc optional
check-mk-doc_1.4.0p9-1_all.deb
94849966857a9dda6106ae628f66b9c1 90412 debug optional
check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb
9c15e6e06fdc1131218b8a2460989500 969002 admin optional
check-mk-livestatus_1.4.0p9-1_amd64.deb
dce90f396ffccf372eed12e0e0a32965 227060 net optional
check-mk-monitoring-plugins_1.4.0p9-1_all.deb
5dbd7dc70c4a1591dac02b70ded4d680 3627048 admin optional
check-mk-multisite_1.4.0p9-1_amd64.deb
2e4e81aeab3ac7e12a64579806710120 1125142 admin optional
check-mk-server_1.4.0p9-1_amd64.deb
8756d65b8ed6356af1d01a8c5a46b1ca 10228 admin optional
check-mk_1.4.0p9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEAOfLnhAhA4PS/SRZqmjsyOmACVMFAlnBiq9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDAw
RTdDQjlFMTAyMTAzODNEMkZEMjQ1OUFBNjhFQ0M4RTk4MDA5NTMACgkQqmjsyOmA
CVNLGw/9Ei5qWN7NsGp1uOX7Ql+0bevVAIrO8pfhHIs3mueNjPyKtR+u4uScouKs
472tj/wnYpJ4b4ff+O7ROEpdYihXifCgWCq7uw6LzHv/fLouOTOcFwA2JNRskU/T
5AULs77JSRpu6Cc/A5xQWcq3a+dztUAe2d8EWfKqBEWriwNGAqCiucvWCLr+Y7ru
DtPdrvYumj7vIUaQd5LXAQLXaSdi+1+8wJDNzPWzZ7GIeHA0LqrFOzxljrje4i45
flSuo6ORE0CyC0AEOJQC8CVYzvszRAsgYpK4mlxQppkmYV/nrkdNhdWTeEB0Isvx
rl1DLyJwXc6D29cmFzBDpOGqEwzNZcMApUSAuoPUklYIoxAn+e7Osi4wo7+XdoMK
/+aKGjZf+NKBMiaNPifgUHdY+WreyrBq9p0i5NNuITcGwgyB9A2+K4rDLbOJQyiR
iVwvZcxfwZAFh2jLQUmaFWUp+scL2gMedKyvpEreExxSb4yEQoFLWTy+uGNek1xP
CG3zy+o2vg0I39pYzaqBa4lvp/mKSt/YByVTrgxqvS5DWlQWDmLvrlDmvdqbl0qG
QF8MIK28bQwWDUr2q99FapYxeFc+f7Izcj3ZV6LHwUEZwk5z3cITrZTyEq/rVrAN
KhrKesu/kn5T8xicMmSDCexVo1el9rqF18LuEo86e/yL2bD6/N4=
=NT3e
-----END PGP SIGNATURE-----
--- End Message ---
