[SECURITY] [DLA 488-1] xymon security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 488-1] xymon security update
From: Markus Koschany <apo@debian.org>
Date: Wed, 25 May 2016 19:10:22 +0200
Message-id: <[🔎] 5745DC7E.2030707@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : xymon
Version        : 4.3.0~beta2.dfsg-9.1+deb7u1
CVE ID         : CVE-2016-2054 CVE-2016-2055 CVE-2016-2056 CVE-2016-2058


Markus Krell discovered that Xymon (formerly known as Hobbit), a
network- and applications-monitoring system, was vulnerable to the
following security issues:

CVE-2016-2054

  The incorrect handling of user-supplied input in the "config"
  command can trigger a stack-based buffer overflow, resulting in
  denial of service (via application crash) or remote code execution.

CVE-2016-2055

  The incorrect handling of user-supplied input in the "config"
  command can lead to an information leak by serving sensitive
  configuration files to a remote user.

CVE-2016-2056

  The commands handling password management do not properly validate
  user-supplied input, and are thus vulnerable to shell command
  injection by a remote user.

CVE-2016-2058

  Incorrect escaping of user-supplied input in status webpages can
  be used to trigger reflected cross-site scripting attacks.


For Debian 7 "Wheezy", these problems have been fixed in version
4.3.0~beta2.dfsg-9.1+deb7u1.

We recommend that you upgrade your xymon packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXRdx8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkFMYP/2bUfpfOI8BFIhe84sGPhGjR
zfOTZbbB4OuxVk2naT23StQ6RTAqquxCX5t/bVISkYH+c9Ncfc+Z/e+4KPRaR4VI
bo0W0VhqdRjYII/ZdTAgURr9v3UgrAYecRUVxsESchVfeUwNQDdv9BaP6ylcNhTn
tiCZsJ5FckQ5dbWYRwuD5XYTt7sRqhrMnC8Bb3YhcLcA8Vz/Xpqxwu9mQT/1gwnm
Fc4gL9abSJyAlStEumaVj/n5KQSduBwrAyOUHecB2cu9qQNFr3Be9Uw0+t0OUbMT
3Hd8W5cccYzSlz93pIDUxRvt6gCd9Gtu14taoXJmsdaSZ+tw+SIzcNsbR2hv62FL
loYSZPoxEUypoZGcWBkN2HVh+/0uhNBUV4eYqlQkv0oF7fVD7WCUDZr9lMHM2wXQ
u7a4DGqXHd0RYKrm32FSQ2yhK8htZOzNtkjPKIrIUMMsHTanaP47pI44uW2AHJgX
2epwZGaSUpq1WTYQHxbkryL/AaX5JwUXUmchCX++b1tzmqMBvC+D9g/Yo1NTadMo
OUpoczBuum4j9evfdA9eLTK9+Ai7elhtnA1NxzInXrGEM68lZVPOOmgaxm6j4Dfe
3vvnLxN2bzciAjqKERMpug7dXwTEh8J6FPwpJFmS/ymJgtJZHlySttislfVUMaty
RlegPTytwMmPsjwvn3i0
=AAB3
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 486-1] imagemagick security update
Next by Date: [SECURITY] [DLA 489-1] ruby-mail security update
Previous by thread: [SECURITY] [DLA 486-1] imagemagick security update
Next by thread: [SECURITY] [DLA 489-1] ruby-mail security update
Index(es):
- Date
- Thread