Package: munin
Version: 2.0.2-1
Severity: grave
Tags: security
Justification: user security hole
The default apache configuration shipped and automatically enabled by
munin is insecure, because it includes an authentication bypass. The
config intends to restrict access to the graphs to localhost:
Hi Helmut,
On Donnerstag, 26. Juli 2012, Helmut Grohne wrote:
Justification: user security hole
thanks a lot for your ongoing work on Debian security! Much appreciated! :-)
About the issue at hand, I'll see what I can do...
more notes from IRC:
h01ger helmut, any idea how to fix?
helmut
found 682869 2.0.1-1
found 682869 1.4.5-3
# helmut h01ger: for the same reason that removing the config does not solve
# the issue, the issue is present in squeeze
# helmut h01ger: i.e. it ships a cgi-graph = bypass possible
thanks
--
To UNSUBSCRIBE, email to
Processing commands for cont...@bugs.debian.org:
found 682869 2.0.1-1
Bug #682869 [munin] munin: insecure/misleading apache configuration
(authentication bypass)
Marked as found in versions munin/2.0.1-1.
found 682869 1.4.5-3
Bug #682869 [munin] munin: insecure/misleading apache configuration
4 matches
Mail list logo