Hi,
On 18/10/2021 21:55, Axel Beckert wrote:
Hi again,
Christoph Zechner wrote:
Severity: critical
This is clearly not "critical". Myon already fixed that.
Apologies for that, I was not sure how to classify it, but since it was
a security-related issue, I thought it was appropriate.
Hi again,
Christoph Zechner wrote:
> Severity: critical
This is clearly not "critical". Myon already fixed that.
> Justification: root security hole
It is also no root security hole. It gives you access to the xymon
user only. (If the admin configured the xymon user to be able to use
sudo, that
Re: Axel Beckert
> > LOGFETCHOPTS="--noexec"
> >
> > instead.
>
> Hrm. The Debian package for sure will switch that option if upstream
> does.
>
> I'm though currently a bit reluctant to apply this patch and deviate
> from upstream's defaults (even more) since the default settings with
> IP addr
Control: retitle -1 xymon-client: Disable by default the ability of logfetch to
execute arbitrary code fetched from the Xymon server
Control: forwarded -1 https://lists.xymon.com/archive/2021-October/047749.html
Control: tag -1 + upstream confirmed
Hi,
Christoph Zechner wrote:
> Package: xymon-c
Package: xymon-client
Severity: critical
Tags: patch security
Justification: root security hole
X-Debbugs-Cc: zech...@vrvis.at, Debian Security Team
The default for logfetch's options (found in /etc/xymon/xymonclient.cfg) is:
LOGFETCHOPTS=""
which enables it to execute arbitrary code [1]. Th
5 matches
Mail list logo
