Bug 1037888 (CVE-2013-6048, CVE-2013-6359)

Summary: CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: drjohnson1, ingvar, jvanek, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: munin 2.0.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-06 00:40:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1037889, 1037890    
Bug Blocks:    

Description Murray McAllister 2013-12-04 02:09:52 UTC 
Christoph Biedl reported that Munin 2.0.18 fixes two denial of service flaws:

* CVE-2013-6048, a node could cause excessive memory consumption on the Munin master.

* CVE-2013-6359, a malicious plug-in could prevent data collection for the node.

References:

https://github.com/munin-monitoring/munin/blob/2.0.18/ChangeLog
Comment 1 Murray McAllister 2013-12-04 02:12:20 UTC 
Created munin tracking bugs for this issue:

Affects: fedora-all [bug 1037889]
Affects: epel-all [bug 1037890]
Comment 2 d. johnson 2013-12-13 23:36:43 UTC 
Package munin-2.0.19-1:
* should fix your issue,
* was pushed to the Fedora + EPEL testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing munin-2.0.19-1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22968/munin-2.0.19-1.fc20
then log in and leave karma (feedback).

Was also pushed for EL5 / EL6 / F18 / F19 / F20:
https://admin.fedoraproject.org/updates/munin
Comment 3 Fedora Update System 2013-12-16 07:08:19 UTC 
munin-2.0.19-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2013-12-16 23:01:57 UTC 
munin-2.0.19-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-12-16 23:03:41 UTC 
munin-2.0.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-12-23 21:29:23 UTC 
munin-2.0.19-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-12-23 21:30:02 UTC 
munin-2.0.19-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-04-07 03:26:24 UTC 
munin-2.0.20-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-04-07 03:26:53 UTC 
munin-2.0.20-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-04-15 23:29:59 UTC 
munin-2.0.20-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-04-15 23:30:27 UTC 
munin-2.0.20-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.