MGASA-2016-0177

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0177.html

Import Source

https://advisories.mageia.org/MGASA-2016-0177.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2016-0177

Related

Published

2016-05-18T20:14:22Z

Modified

2016-05-18T20:04:35Z

Summary

Updated xymon packages fix security vulnerabilities

Details

Updated xymon packages fix security vulnerabilities:

The incorrect handling of user-supplied input in the "config" command can trigger a stack-based buffer overflow, resulting in denial of service (via application crash) or remote code execution (CVE-2016-2054).

The incorrect handling of user-supplied input in the "config" command can lead to an information leak by serving sensitive configuration files to a remote user (CVE-2016-2055).

The commands handling password management do not properly validate user-supplied input, and are thus vulnerable to shell command injection by a remote user (CVE-2016-2056).

Incorrect permissions on an internal queuing system allow a user with a local account on the xymon master server to bypass all network-based access control lists, and thus inject messages directly into xymon (CVE-2016-2057).

Incorrect escaping of user-supplied input in status webpages can be used to trigger reflected cross-site scripting attacks (CVE-2016-2058).

Note that to effectively fix CVE-2016-2055, the /etc/xymon/xymonpasswd configuration file should be owned by user and group apache with 640 permissions.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / xymon

Package

Name: xymon
Purl: pkg:rpm/mageia/xymon?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.17-5.1.mga5

Ecosystem specific

{
    "section": "core"
}