From Mageia wiki
Jump to: navigation, search

MGASA-2012-0358

Date: December 11th, 2012
Affected releases: 2


Description:
Updated munin packages fix security vulnerabilities:

The qmailscan plugin for Munin before 2.0 rc6 allows local users to
overwrite arbitrary files via a symlink attack on temporary files with
predictable names (CVE-2012-2103).

Munin before 2.0.6 stores plugin state files that run as root in the
same group-writable directory as non-root plugins, which allows local
users to execute arbitrary code by replacing a state file, as
demonstrated using the smart_ plugin (CVE-2012-3512).

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module
under Apache, allows remote attackers to load new configurations and
create files in arbitrary directories via the logdir command
(CVE-2012-3513).


Updated Packages:
munin-2.0-0.rc5.2.1.mga2
munin-master-2.0-0.rc5.2.1.mga2
munin-node-2.0-0.rc5.2.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3513
http://www.ubuntu.com/usn/usn-1622-1/
https://bugs.mageia.org/show_bug.cgi?id=7591