Your message dated Mon, 03 Jun 2019 22:18:46 +0000 with message-id <e1hxvhy-000egc...@fasolo.debian.org> and subject line Bug#927775: fixed in monit 1:5.25.3-1 has caused the Debian Bug report #927775, regarding monit: CVE-2019-11454 CVE-2019-11455 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: monit Version: 1:5.25.2-3 Severity: important Tags: security upstream Control: found -1 1:5.20.0-6 Hi, The following vulnerabilities were published for monit. CVE-2019-11454[0]: | Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash | Monit before 5.25.3 allows a remote unauthenticated attacker to | introduce arbitrary JavaScript via manipulation of an unsanitized user | field of the Authorization header for HTTP Basic Authentication, which | is mishandled during an _viewlog operation. CVE-2019-11455[1]: | A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit | before 5.25.3 allows a remote authenticated attacker to retrieve the | contents of adjacent memory via manipulation of GET or POST | parameters. The attacker can also cause a denial of service | (application outage). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11454 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11454 [1] https://security-tracker.debian.org/tracker/CVE-2019-11455 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11455 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: monit Source-Version: 1:5.25.3-1 We believe that the bug you reported is fixed in the latest version of monit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 927...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sergey B Kirpichev <skirpic...@gmail.com> (supplier of updated monit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 04 Jun 2019 00:35:25 +0300 Source: monit Binary: monit monit-dbgsym Architecture: source amd64 Version: 1:5.25.3-1 Distribution: unstable Urgency: medium Maintainer: Sergey B Kirpichev <skirpic...@gmail.com> Changed-By: Sergey B Kirpichev <skirpic...@gmail.com> Description: monit - utility for monitoring and managing daemons or similar programs Closes: 927775 Changes: monit (1:5.25.3-1) unstable; urgency=medium . * New upstream version 5.25.3. Closes: #927775 (CVE-2019-11454 and CVE-2019-11455). * Refresh patches Checksums-Sha1: 8c289f49665f4c2e06fce1619e533535fa8e1759 1895 monit_5.25.3-1.dsc e4a70bf5f0f9ef6d050b73a2f6dc1585fce10cd0 1355925 monit_5.25.3.orig.tar.gz d7d7ccf8e07093e0823123ec523d876e78d313eb 29764 monit_5.25.3-1.debian.tar.xz 1dc62995a0a6b2f90a3e0ae1c27b74a3a1f32d92 849684 monit-dbgsym_5.25.3-1_amd64.deb 45c98f555875ea0ef8fe631bc30ee0abb4f7642b 6187 monit_5.25.3-1_amd64.buildinfo 76d094cfd38f05f436433474991e3be63edd0640 328132 monit_5.25.3-1_amd64.deb Checksums-Sha256: 4a956f91735bd7756038b9c509f49eebea76f93fc35e651c0fbaaab850be16c7 1895 monit_5.25.3-1.dsc c10258c8839d20864d30390e7cbf2ff5e0480a67a6fb80c02aa457d6e3390569 1355925 monit_5.25.3.orig.tar.gz 6addc7a8ee6def2fc6c4f0b9813a23f973741c83d6df8704d476de81685f37c6 29764 monit_5.25.3-1.debian.tar.xz 86a26a8ebae87163efc0ff1fa9fcff3477529b99a93f366877fc4c652a2f476f 849684 monit-dbgsym_5.25.3-1_amd64.deb 63d6b6ae02fe5161586160c2243e18dc002275c6c90c7d7e808eda9a6eb5da18 6187 monit_5.25.3-1_amd64.buildinfo 3f0db91a331041ed5ff2d4660339539c7bbd3fdf2d6c2b83d984db187203299a 328132 monit_5.25.3-1_amd64.deb Files: 970ab39727db140db675c24b4d3a6bd8 1895 admin optional monit_5.25.3-1.dsc 8d91f6e756cca42450ab0815b3086d5b 1355925 admin optional monit_5.25.3.orig.tar.gz 9609012e7897c224969a75817123de8a 29764 admin optional monit_5.25.3-1.debian.tar.xz a8026c3c573067b4ab6d104589ffeaf1 849684 debug optional monit-dbgsym_5.25.3-1_amd64.deb 75f00a26a35a3f0ea0a378e767746598 6187 admin optional monit_5.25.3-1_amd64.buildinfo c73fed2b87b38d611bd876b75e9c2c7a 328132 admin optional monit_5.25.3-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE22Z64ufHku9jdO/fOcmgtkAmKvAFAlz1l9gACgkQOcmgtkAm KvAKWQ//TCzZHq0/bMxzTCRNcnkzmkSSDOOiiy2F/EDvkRII/Xe0SBcRg29w8uB4 s7Zr5wjqRS1GNjkT1xAdMgrK7HafWHVWrAI0opmW2SWheMK5pFHEI8zgIBakvnZB erJuGL2LlDNxFXav5S+bmGtY/ACcTGFCEcHHbKz0sXbscwTuA79Vw763z66l6Wkw peHY0mUXrW4a8pA8aa1eLKQfSaiwQsslORXcURi99vEvhJIw3Js/5g8Q7yNpjG/x Hh9F1XKx5dguynjpuq0X9ozGdpIYlnq/co+VmpYwp1F3xgEGcw/5iuQfSO/spGQ7 XguDJOCP/pciLuVTdK1iU11yGOHT5gJCKD6bIXo3n7Av+zjUbCMxGtralrYp0RZ0 pCv03x75xbkGOMvnsrIey0Ws1JqNA7dPnzNczHdK/Ebr+iA2yeWrgVaps0LIqgAU DfmTGxonBQlQL6xpVz/NIC5A4yvAdRoFA0BVYoZMPBOMTZtL405TqbzOjagJWj3Y 1MVikY/i2QOklBuO4A1q+E+KtOmUt3zjWu+gkW2fnemHjcxC0DTMfcTJ2DpuYzS1 1HMI4yMEO8p48t1Zpk825u69evEbh5AJdn+YN0f7EvrdO8CAXnBhkY+J2NvrgSMF hqGOzZMayVKw4ra9diE3CgP/mBthKpsTf9ZHBXxCE9PnlAPM6Z0= =tx2+ -----END PGP SIGNATURE-----
--- End Message ---
