Bug 1132337 (CVE-2014-5338, CVE-2014-5339, CVE-2014-5340)
Summary: | CVE-2014-5338 CVE-2014-5339 CVE-2014-5340 check-mk: multiple flaws fixed in versions 1.2.4p4 and 1.2.5i4 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aavati, andrea.veri, carnil, gmollett, nlevinki, rfortier, rhs-bugs, sisharma, smohan, ssaha, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | check_mk 1.2.4p4, check_mk 1.2.5i4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-29 06:08:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1132339, 1132341 | ||
Bug Blocks: | 1132344 |
Description
Murray McAllister
2014-08-21 07:52:06 UTC
Created check-mk tracking bugs for this issue: Affects: fedora-all [bug 1132339] Affects: epel-all [bug 1132341] > CVE-2014-5340
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;
> h=192d41525502dc8de10ac99f57bd988450c17566
That commit notes:
<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.
Murray I'm a bit concerned about comment #2 as the multisite.mk file is actually modified by admins in many occasions and overwriting it definitely not a good solution but at the same time upgrading the package without 'wato_legacy_eval' flag set to true will result in WATO breakages. Do you have any suggestion on how to handle the upgrade properly? Hello Andrea, I do not have a solution that both fixes the issue and does not break any environments. Maybe wato_legacy_eval in wato.py (http://git.mathias-kettner.de/git/?p=check_mk.git;a=blobdiff;f=web/plugins/config/wato.py;h=317f59394bf731727b3662f5e38d6ffa21e3983c;hp=744dde1e35164c2442ad410f5d78ccc76431ca80;hb=192d41525502dc8de10ac99f57bd988450c17566;hpb=815e624ae4c406112721771de85e22cdef3cafe6) could be set to "True" for a time, allowing the upgrade and fixing the other issues. It could be changed back to False at a later date. On the other hand, this issue seems to be the pickle/important one :-/ check-mk-1.2.4p5-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. check-mk-1.2.4p5-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 6 Native Client for RHEL 5 for Red Hat Storage Native Client for RHEL 6 for Red Hat Storage Via RHSA-2015:1495 https://rhn.redhat.com/errata/RHSA-2015-1495.html |