Security Information / 2013 / Security Information -- DSA-2815-1 munin

Debian Security Advisory

DSA-2815-1 munin -- denial of service

Date Reported:

09 Dec 2013

Affected Packages:

munin

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-6048, CVE-2013-6359.

More information:

Christoph Biedl discovered two denial of service vulnerabilities in munin, a network-wide graphing framework. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2013-6048

  The Munin::Master::Node module of munin does not properly validate certain data a node sends. A malicious node might exploit this to drive the munin-html process into an infinite loop with memory exhaustion on the munin master.

• CVE-2013-6359

  A malicious node, with a plugin enabled using multigraph as a multigraph service name, can abort data collection for the entire node the plugin runs on.

For the stable distribution (wheezy), these problems have been fixed in version 2.0.6-4+deb7u2.

For the testing distribution (jessie), these problems have been fixed in version 2.0.18-1.

For the unstable distribution (sid), these problems have been fixed in version 2.0.18-1.

We recommend that you upgrade your munin packages.