Package: monit
Version: 1:5.20.0-6
Severity: normal
Tags: upstream fixed-upstream
Forwarded:
https://bitbucket.org/tildeslash/monit/issues/495/invalid-csrf-check

Hi,

monit upstream fixed a bug with invalid CSRF checking in cookies
(https://bitbucket.org/tildeslash/monit/issues/495/invalid-csrf-check).

One effect of that bug is that when administering multiple servers using
monit's web interface, it is necessary to clear existing cookies before
one can log into another server (especially when there is a mixture of
jessie, stretch and buster machines involved).

Another is that other services on the same host can set cookies which
are presented before the monit cookie, and so a similar problem is caused.

Please consider backporting this fix to stretch in the next oldstable
point release. I haven't investigated whether it is the sole change in
5.21 or whether it would have to be cherry-picked.

Thanks,

-- 
Jonathan Wiltshire

Red Hat Certified Engineer (#170-281-083)

Tiger Computing Ltd
ISO27001:2017 Certified

Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk

Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
 Wyastone Leys, Monmouth, NP25 3SR

Reply via email to