Re: xymon vulnerabilities in jessie, stretch and buster
Hi, > > Anyways, 4.3.29 introduced quite a few regressions[0], we should probably > > wait > > for 4.3.30. > > I would neither upload 4.3.29 nor 4.3.30 to Jessie but only the > minimal patch plus the hostname regex regression patch as I do for > Stretch and Buster. Thanks! I have backported your stretch update, currently testing it. > Also someone needs first to verify that the Xymon upstream version in > Jessie (IIRC 4.3.17) is actually vulnerable. Upstream didn't specify > if any version before 4.3.28 is affected, too. I did not reproduce the issue, but the vulnerable code is present. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: xymon vulnerabilities in jessie, stretch and buster
Hi, Hugo Lefeuvre wrote: > Anyways, 4.3.29 introduced quite a few regressions[0], we should probably wait > for 4.3.30. I would neither upload 4.3.29 nor 4.3.30 to Jessie but only the minimal patch plus the hostname regex regression patch as I do for Stretch and Buster. Also someone needs first to verify that the Xymon upstream version in Jessie (IIRC 4.3.17) is actually vulnerable. Upstream didn't specify if any version before 4.3.28 is affected, too. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Re: xymon vulnerabilities in jessie, stretch and buster
Hi, > > These are scheduled via the next 9.10 and 10.1 point releases, but it > > seems > > we missed to mark it as no-dsa yet, I'll fix that in a bit. > > There doesn't appear to be a request for either a buster or stretch update > yet, for the record. Anyways, 4.3.29 introduced quite a few regressions[0], we should probably wait for 4.3.30. regards, Hugo [0] https://lists.xymon.com/archive/2019-August/046643.html -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: xymon vulnerabilities in jessie, stretch and buster
On 2019-08-19 20:54, Moritz Mühlenhoff wrote: On Mon, Aug 19, 2019 at 02:27:09PM +0200, Hugo Lefeuvre wrote: Hi, I just had a look at xymon's vulnerabilities in jessie, stretch and buster. Upstream claims some of these issues to be exploitable, among others the XSS vulnerability. I plan to address at least this one in jessie. I see that Moritz and Axel already discussed this on upstream's mailing list, however the tracker has not been updated yet. Is anybody working on it? If not, I can take some time to do it. These are scheduled via the next 9.10 and 10.1 point releases, but it seems we missed to mark it as no-dsa yet, I'll fix that in a bit. There doesn't appear to be a request for either a buster or stretch update yet, for the record. Regards, Adam
Re: xymon vulnerabilities in jessie, stretch and buster
Hi Moritz, > > I see that Moritz and Axel already discussed this on upstream's mailing > > list, > > however the tracker has not been updated yet. Is anybody working on it? If > > not, > > I can take some time to do it. > > These are scheduled via the next 9.10 and 10.1 point releases, but it seems > we missed to mark it as no-dsa yet, I'll fix that in a bit. Are you going to do a bump to 4.3.29 or cherry pick patches? Unless maintainers strongly advise for it I will not bump jessie to 4.3.29, the diff is > 15K lines and I am not confident enough with the codebase to do that. Thanks! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: xymon vulnerabilities in jessie, stretch and buster
On Mon, Aug 19, 2019 at 02:27:09PM +0200, Hugo Lefeuvre wrote: > Hi, > > I just had a look at xymon's vulnerabilities in jessie, stretch and buster. > > Upstream claims some of these issues to be exploitable, among others the XSS > vulnerability. I plan to address at least this one in jessie. > > I see that Moritz and Axel already discussed this on upstream's mailing list, > however the tracker has not been updated yet. Is anybody working on it? If > not, > I can take some time to do it. These are scheduled via the next 9.10 and 10.1 point releases, but it seems we missed to mark it as no-dsa yet, I'll fix that in a bit. Cheers, Moritz
xymon vulnerabilities in jessie, stretch and buster
Hi, I just had a look at xymon's vulnerabilities in jessie, stretch and buster. Upstream claims some of these issues to be exploitable, among others the XSS vulnerability. I plan to address at least this one in jessie. I see that Moritz and Axel already discussed this on upstream's mailing list, however the tracker has not been updated yet. Is anybody working on it? If not, I can take some time to do it. Buster and stretch are not far from 4.3.29, so, in case the security team wants to address these issues, a version bump could maybe be considered? For jessie, it could be worth inspecting the diff, but there were quite a few releases between 4.3.17 and 4.3.29... I'm considering to cherry pick relevant changes for the most important issues. Christoph and Axel, do you have comments/suggestions regarding this? regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
