Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-20-1 munin

Debian Security Advisory

DLA-20-1 munin -- LTS security update

Date Reported:

07 Aug 2014

Affected Packages:

munin

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-3512, CVE-2013-6048, CVE-2013-6359.

More information:

[ Christoph Biedl ]

• munin-node: more secure state file handling, introducing a new plugin state directory root, owned by uid 0. Then each plugin runs in its own UID plugin state directory, owned by that UID. (Closes: #684075), (Closes: #679897), closes CVE-2012-3512.
• plugins: use runtime $ENV{MUNIN_PLUGSTATE}. So all properly written plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now please report plugins that are still using /var/lib/munin/plugin-state/ as those might pose a security risk!
• Don't abort data collection for a node due to malicious node, fixing munin#1397, CVE-2013-6048.
• Validate multigraph plugin name, CVE-2013-6359.

For Debian 6 Squeeze, these issues have been fixed in munin version 1.4.5-3+deb6u1