Bug#682869: munin: insecure/misleading apache configuration (authentication bypass)

2012-07-26 Thread Helmut Grohne
Package: munin Version: 2.0.2-1 Severity: grave Tags: security Justification: user security hole The default apache configuration shipped and automatically enabled by munin is insecure, because it includes an authentication bypass. The config intends to restrict access to the graphs to localhost:

Bug#682869: [Packaging] Bug#682869: munin: insecure/misleading apache configuration (authentication bypass)

2012-07-26 Thread Holger Levsen
Hi Helmut, On Donnerstag, 26. Juli 2012, Helmut Grohne wrote: Justification: user security hole thanks a lot for your ongoing work on Debian security! Much appreciated! :-) About the issue at hand, I'll see what I can do... more notes from IRC: h01ger helmut, any idea how to fix? helmut

Bug#682869: [Packaging] Bug#682869: munin: insecure/misleading apache configuration (authentication bypass)

2012-07-26 Thread Holger Levsen
found 682869 2.0.1-1 found 682869 1.4.5-3 # helmut h01ger: for the same reason that removing the config does not solve # the issue, the issue is present in squeeze # helmut h01ger: i.e. it ships a cgi-graph = bypass possible thanks -- To UNSUBSCRIBE, email to

Processed: Re: [Packaging] Bug#682869: munin: insecure/misleading apache configuration (authentication bypass)

2012-07-26 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org: found 682869 2.0.1-1 Bug #682869 [munin] munin: insecure/misleading apache configuration (authentication bypass) Marked as found in versions munin/2.0.1-1. found 682869 1.4.5-3 Bug #682869 [munin] munin: insecure/misleading apache configuration