Bug 1037888 (CVE-2013-6048, CVE-2013-6359)

Summary: CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: drjohnson1, ingvar, jvanek, stsimb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20131026,reported=20131127,source=distros,cvss2=3.3/AV:A/AC:L/Au:N/C:N/I:N/A:P,fedora-all/munin=affected,epel-all/munin=affected
Fixed In Version: munin 2.0.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-05 19:40:47 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1037889, 1037890    
Bug Blocks:    

Description Murray McAllister 2013-12-03 21:09:52 EST
Christoph Biedl reported that Munin 2.0.18 fixes two denial of service flaws:

* CVE-2013-6048, a node could cause excessive memory consumption on the Munin master.

* CVE-2013-6359, a malicious plug-in could prevent data collection for the node.

References:

https://github.com/munin-monitoring/munin/blob/2.0.18/ChangeLog
Comment 1 Murray McAllister 2013-12-03 21:12:20 EST
Created munin tracking bugs for this issue:

Affects: fedora-all [bug 1037889]
Affects: epel-all [bug 1037890]
Comment 2 d. johnson 2013-12-13 18:36:43 EST
Package munin-2.0.19-1:
* should fix your issue,
* was pushed to the Fedora + EPEL testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing munin-2.0.19-1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22968/munin-2.0.19-1.fc20
then log in and leave karma (feedback).

Was also pushed for EL5 / EL6 / F18 / F19 / F20:
https://admin.fedoraproject.org/updates/munin
Comment 3 Fedora Update System 2013-12-16 02:08:19 EST
munin-2.0.19-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2013-12-16 18:01:57 EST
munin-2.0.19-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-12-16 18:03:41 EST
munin-2.0.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-12-23 16:29:23 EST
munin-2.0.19-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-12-23 16:30:02 EST
munin-2.0.19-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-04-06 23:26:24 EDT
munin-2.0.20-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-04-06 23:26:53 EDT
munin-2.0.20-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-04-15 19:29:59 EDT
munin-2.0.20-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-04-15 19:30:27 EDT
munin-2.0.20-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.