I think all the problem is in the latest CVE-2016-7067.patch which
features this change like this:
- "%s",
+ "securitytoken=%s&action=%s",
+ token,
the %s comes from a var which already has an "action=" in it
I tried locally compile the package with a new patch with only this hunk:
--- monit-5.16.orig/src/control.c
+++ monit-5.16/src/control.c
@@ -449,7 +449,7 @@ boolean_t control_service_daemon(List_T
"Content-Length: %d\r\n"
"%s"
"\r\n"
- "securitytoken=%s&action=%s",
+ "securitytoken=%s&%s",
token,
strlen("securitytoken=") + strlen(token) + 1 +
StringBuffer_length(sb),
And the resulting package seems to work ok for me. I didn't tested it
extensively. Also I'm just playing with source code, I do not know how
to submit a proper patch.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7067
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786910
Title:
Latest patch breaks command line 'restart all'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/monit/+bug/1786910/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
