diff options
| author | spz <spz@pkgsrc.org> | 2016-02-16 05:58:56 +0000 |
|---|---|---|
| committer | spz <spz@pkgsrc.org> | 2016-02-16 05:58:56 +0000 |
| commit | c336bb7d4c3e06523dbf81180faadb7b0de44d54 (patch) | |
| tree | b378828845cc93af15405cbaa3b6041fc9322c08 /net/xymon | |
| parent | e998b3f9d1c238f853bc01bf5420bdab876a52ef (diff) | |
| download | pkgsrc-c336bb7d4c3e06523dbf81180faadb7b0de44d54.tar.gz | |
update of xymon and xymonclient from 4.3.17 to 4.3.25
The following security issues are fixed with this update:
* Resolve buffer overflow when handling "config" file requests (CVE-2016-2054)
* Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory
(symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename
end in '.cfg' by default
* Resolve shell command injection vulnerability in useradm and chpasswd CGIs
(CVE-2016-2056)
* Tighten permissions on the xymond BFQ used for message submission to restrict
access to the xymon user and group. It is now 0620. (CVE-2016-2057)
* Restrict javascript execution in current and historical status messages by
the addition of appropriate Content-Security-Policy headers to prevent XSS
attacks. (CVE-2016-2058)
* Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script.
Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.
* Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by
eliminating the shell script CGI wrappers
Please refer to
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download
for further information on fixes and new features.
Diffstat (limited to 'net/xymon')
| -rw-r--r-- | net/xymon/Makefile | 5 | ||||
| -rw-r--r-- | net/xymon/PLIST | 18 | ||||
| -rw-r--r-- | net/xymon/distinfo | 12 | ||||
| -rw-r--r-- | net/xymon/patches/patch-configure | 13 |
4 files changed, 30 insertions, 18 deletions
diff --git a/net/xymon/Makefile b/net/xymon/Makefile index a9c6c5f2c59..6f2a92af7c8 100644 --- a/net/xymon/Makefile +++ b/net/xymon/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.43 2015/11/25 12:52:12 jperkin Exp $ +# $NetBSD: Makefile,v 1.44 2016/02/16 05:58:56 spz Exp $ # -DISTNAME= xymon-4.3.17 -PKGREVISION= 3 +DISTNAME= xymon-4.3.25 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=xymon/} diff --git a/net/xymon/PLIST b/net/xymon/PLIST index 66fbb505bb2..5619f86bd09 100644 --- a/net/xymon/PLIST +++ b/net/xymon/PLIST @@ -1,6 +1,7 @@ -@comment $NetBSD: PLIST,v 1.6 2014/03/11 14:05:12 jperkin Exp $ +@comment $NetBSD: PLIST,v 1.7 2016/02/16 05:58:56 spz Exp $ libexec/xymon/ackinfo.cgi libexec/xymon/acknowledge.cgi +libexec/xymon/acknowledgements.cgi libexec/xymon/appfeed.cgi libexec/xymon/bb libexec/xymon/bbcmd @@ -9,6 +10,7 @@ libexec/xymon/bbhostgrep libexec/xymon/bbhostshow libexec/xymon/beastat libexec/xymon/boilerplate.cgi +libexec/xymon/cgi-bin/acknowledgements.sh libexec/xymon/cgi-bin/appfeed-critical.sh libexec/xymon/cgi-bin/appfeed.sh libexec/xymon/cgi-bin/certreport.sh @@ -36,9 +38,12 @@ libexec/xymon/cgi-bin/svcstatus.sh libexec/xymon/cgi-bin/topchanges.sh libexec/xymon/cgi-secure/ackinfo.sh libexec/xymon/cgi-secure/acknowledge.sh +libexec/xymon/cgi-secure/chpasswd.sh libexec/xymon/cgi-secure/criticaleditor.sh libexec/xymon/cgi-secure/enadis.sh libexec/xymon/cgi-secure/useradm.sh +libexec/xymon/cgiwrap +libexec/xymon/chpasswd.cgi libexec/xymon/combostatus libexec/xymon/confreport.cgi libexec/xymon/convertnk @@ -199,6 +204,7 @@ share/examples/xymon/www/gifs/favicon-purple.ico share/examples/xymon/www/gifs/favicon-red.ico share/examples/xymon/www/gifs/favicon-unknown.ico share/examples/xymon/www/gifs/favicon-yellow.ico +share/examples/xymon/www/gifs/green-ack.gif share/examples/xymon/www/gifs/green-recent.gif share/examples/xymon/www/gifs/green.gif share/examples/xymon/www/gifs/purple-ack.gif @@ -330,6 +336,12 @@ share/examples/xymon/xymonserver.cfg share/xymon/web/acknowledge_footer share/xymon/web/acknowledge_form share/xymon/web/acknowledge_header +share/xymon/web/acknowledgements_footer +share/xymon/web/acknowledgements_form +share/xymon/web/acknowledgements_header +share/xymon/web/chpasswd_footer +share/xymon/web/chpasswd_form +share/xymon/web/chpasswd_header share/xymon/web/columndoc_footer share/xymon/web/columndoc_header share/xymon/web/confreport_back @@ -408,10 +420,10 @@ share/xymon/web/stdnormal_header share/xymon/web/topchanges_footer share/xymon/web/topchanges_form share/xymon/web/topchanges_header +share/xymon/web/trends_footer share/xymon/web/trends_form +share/xymon/web/trends_header share/xymon/web/useradm_footer share/xymon/web/useradm_form share/xymon/web/useradm_header share/xymon/web/zoom.js -@pkgdir share/xymon/xymonhome -@pkgdir etc/xymon diff --git a/net/xymon/distinfo b/net/xymon/distinfo index 8a14255ee05..9f4627da910 100644 --- a/net/xymon/distinfo +++ b/net/xymon/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.14 2015/11/04 00:35:46 agc Exp $ +$NetBSD: distinfo,v 1.15 2016/02/16 05:58:56 spz Exp $ -SHA1 (xymon-4.3.17.tar.gz) = 1a8ba9e42f27fe3ce4625be745a41bd16ed2d1f9 -RMD160 (xymon-4.3.17.tar.gz) = 09b88d228633daa0f904567102a4c697b5651b73 -SHA512 (xymon-4.3.17.tar.gz) = 4fcea3763c310f6b201fe02a54adcc2dd2537798e80dbea2a15ae6da57c864ae1c6dd955b934fd38ab3eabe93f04c09975910ecc01dc6fbb5cd0d970830e4737 -Size (xymon-4.3.17.tar.gz) = 2772765 bytes +SHA1 (xymon-4.3.25.tar.gz) = 049bf7e908032e9780e3c67fd5e10dd399c811f3 +RMD160 (xymon-4.3.25.tar.gz) = 1c8315e88a5b418d77e7c6e1c4f5f2e034f049e3 +SHA512 (xymon-4.3.25.tar.gz) = c438ecaac18ca64222643fa361254e7c7a27c60ca3bb27fc092da8182e7c1c7862677b544e4d634ae73bbaa7954a3bb0920ce570d99e8ffd899419119075a940 +Size (xymon-4.3.25.tar.gz) = 2996840 bytes SHA1 (patch-aa) = 227b631c6e002712ebf6019d8473ca4b44904e4a SHA1 (patch-ab) = 39a6af51ec216bb8cbdb57a3c07d82fce559b27f SHA1 (patch-ac) = a44d1c7471d6aafe36931fa8dd001c0d3b7d7b72 @@ -15,7 +15,7 @@ SHA1 (patch-build_Makefile.FreeBSD) = e58b50f35068cba6fed89cc21bcc4eb7d30efd23 SHA1 (patch-build_Makefile.Linux) = eea6d1ced23a622d115aa97dc10d352f9dd622b0 SHA1 (patch-build_rrd.sh) = cfafece75defb13b413917bfddedb41cb9bb3c8b SHA1 (patch-build_snmp.sh) = 4141c6e2bebea078ac662b7585e579f2af8ee64f -SHA1 (patch-configure) = 7b71ed7a567124a2aa36d9bf9188209649e88a4d +SHA1 (patch-configure) = b654e6da62e1aabdad4b8bfb0fd3e87de89de6d5 SHA1 (patch-xymond_client_netbsd.c) = 9034777cbf12e3e168cf1598bfd444468e3a5086 SHA1 (patch-xymond_rrd_do__disk.c) = e72cb0364e4e949e02a045da0abca46083624253 SHA1 (patch-xymond_rrd_do__vmstat.c) = 8062acc24e9b0e767c5abd3373641aa7b9a5b2ae diff --git a/net/xymon/patches/patch-configure b/net/xymon/patches/patch-configure index 90834318666..d52a7ebf6cd 100644 --- a/net/xymon/patches/patch-configure +++ b/net/xymon/patches/patch-configure @@ -1,20 +1,21 @@ -$NetBSD: patch-configure,v 1.3 2011/10/15 23:04:51 spz Exp $ +$NetBSD: patch-configure,v 1.4 2016/02/16 05:58:56 spz Exp $ Make sure the toplevel configure script exits on failure. ---- configure.orig 2011-03-08 17:20:28.000000000 +0000 +--- configure.orig 2014-09-28 09:39:28.000000000 +0000 +++ configure @@ -14,11 +14,11 @@ chmod 755 $BASEDIR/configure* $BASEDIR/b case "$TARGET" in "--client") -- $BASEDIR/configure.client $* -+ $BASEDIR/configure.client "$@" || exit 1 +- exec $BASEDIR/configure.client $* ++ exec $BASEDIR/configure.client "$@" || exit 1 ;; "--server"|"") -- $BASEDIR/configure.server $* -+ $BASEDIR/configure.server "$@" || exit 1 +- exec $BASEDIR/configure.server $* ++ exec $BASEDIR/configure.server "$@" || exit 1 ;; "--help") + |