MGASA-2012-0358
| Date: | December 11th, 2012 |
| Affected releases: | 2 |
Description:
Updated munin packages fix security vulnerabilities:
The qmailscan plugin for Munin before 2.0 rc6 allows local users to
overwrite arbitrary files via a symlink attack on temporary files with
predictable names (CVE-2012-2103).
Munin before 2.0.6 stores plugin state files that run as root in the
same group-writable directory as non-root plugins, which allows local
users to execute arbitrary code by replacing a state file, as
demonstrated using the smart_ plugin (CVE-2012-3512).
munin-cgi-graph in Munin before 2.0.6, when running as a CGI module
under Apache, allows remote attackers to load new configurations and
create files in arbitrary directories via the logdir command
(CVE-2012-3513).
Updated Packages:
munin-2.0-0.rc5.2.1.mga2
munin-master-2.0-0.rc5.2.1.mga2
munin-node-2.0-0.rc5.2.1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3513
http://www.ubuntu.com/usn/usn-1622-1/
https://bugs.mageia.org/show_bug.cgi?id=7591
