Hi I think this type of vulnerability can fall in the category of "minor issue" as it actually need an administrator to visit a forged link. Also it should be fairly obvious that the state have changed when the link is clicked by the administrator and it should be easy to change it back.
This is my thinking. Others may have an other opinion. Best regards // Ola On 21 November 2016 at 07:57, Brian May <[email protected]> wrote: > Just having a preliminary look at monit. By the looks of it, the > security issue appears to be that it doesn't support CSRF. > > However, by the looks of it the patch (which adds CSRF support) is > fairly extensive and every single hunk fails to apply cleanly: > > https://bitbucket.org/tildeslash/monit/commits/ > c6ec3820e627f85417053e6336de2987f2d863e3?at=master > > As I result I imagine this would require recreating much of the patch > for wheezy-security. > > While I agree this is a security issue, the fix is adding a fairly > significant new feature. Is this appropriate for wheezy-security? > > > [1] > > ⌁ [brian:~/tree/debian/debian-lts/wheezy/monit/monit-5.4] % patch -p1 > --dry-run < raw.patch > checking file CHANGES > Hunk #1 FAILED at 22. > 1 out of 1 hunk FAILED > checking file src/http/cervlet.c > Hunk #1 FAILED at 99. > Hunk #2 FAILED at 133. > Hunk #3 FAILED at 420. > Hunk #4 FAILED at 431. > Hunk #5 FAILED at 447. > Hunk #6 FAILED at 461. > Hunk #7 FAILED at 812. > Hunk #8 FAILED at 868. > Hunk #9 FAILED at 900. > Hunk #10 FAILED at 943. > Hunk #11 FAILED at 960. > Hunk #12 FAILED at 1665. > 12 out of 12 hunks FAILED > can't find file to patch at input line 293 > Perhaps you used the wrong -p or --strip option? > The text leading up to this was: > -------------------------- > |diff --git a/src/http/client.c b/src/http/client.c > |index d0f7a02..b4bb929 100644 > |--- a/src/http/client.c > |+++ b/src/http/client.c > -------------------------- > File to patch: > Skip this patch? [y] > Skipping patch. > 1 out of 1 hunk ignored > checking file src/http/processor.c > Hunk #1 FAILED at 241. > Hunk #2 FAILED at 249. > Hunk #3 FAILED at 285. > Hunk #4 FAILED at 442. > Hunk #5 FAILED at 574. > Hunk #6 FAILED at 727. > 6 out of 6 hunks FAILED > checking file src/http/processor.h > Hunk #1 FAILED at 89. > Hunk #2 FAILED at 102. > 2 out of 2 hunks FAILED > checking file src/util.c > Hunk #1 FAILED at 1385. > 1 out of 1 hunk FAILED > checking file src/util.h > > -- > Brian May <[email protected]> > https://linuxpenguins.xyz/brian/ > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
