diff options
author | spz <spz> | 2016-02-16 05:58:56 +0000 |
---|---|---|
committer | spz <spz> | 2016-02-16 05:58:56 +0000 |
commit | 571f4ac87af82305ebfc8b1aeea1eae78b7fd403 (patch) | |
tree | b378828845cc93af15405cbaa3b6041fc9322c08 /net/xymonclient/patches | |
parent | 22d269ed861fb8d95886d2fbd7adb1c387fc2133 (diff) | |
download | pkgsrc-571f4ac87af82305ebfc8b1aeea1eae78b7fd403.tar.gz |
update of xymon and xymonclient from 4.3.17 to 4.3.25
The following security issues are fixed with this update:
* Resolve buffer overflow when handling "config" file requests (CVE-2016-2054)
* Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory
(symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename
end in '.cfg' by default
* Resolve shell command injection vulnerability in useradm and chpasswd CGIs
(CVE-2016-2056)
* Tighten permissions on the xymond BFQ used for message submission to restrict
access to the xymon user and group. It is now 0620. (CVE-2016-2057)
* Restrict javascript execution in current and historical status messages by
the addition of appropriate Content-Security-Policy headers to prevent XSS
attacks. (CVE-2016-2058)
* Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script.
Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.
* Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by
eliminating the shell script CGI wrappers
Please refer to
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download
for further information on fixes and new features.
Diffstat (limited to 'net/xymonclient/patches')
-rw-r--r-- | net/xymonclient/patches/patch-configure | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/net/xymonclient/patches/patch-configure b/net/xymonclient/patches/patch-configure index 193110b3a49..4e9f8eda1ae 100644 --- a/net/xymonclient/patches/patch-configure +++ b/net/xymonclient/patches/patch-configure @@ -1,4 +1,4 @@ -$NetBSD: patch-configure,v 1.1 2011/10/15 23:04:51 spz Exp $ +$NetBSD: patch-configure,v 1.2 2016/02/16 05:58:57 spz Exp $ Make sure the toplevel configure script exits on failure. @@ -8,13 +8,13 @@ Make sure the toplevel configure script exits on failure. case "$TARGET" in "--client") -- $BASEDIR/configure.client $* -+ $BASEDIR/configure.client "$@" || exit 1 +- exec $BASEDIR/configure.client $* ++ exec $BASEDIR/configure.client "$@" || exit 1 ;; "--server"|"") -- $BASEDIR/configure.server $* -+ $BASEDIR/configure.server "$@" || exit 1 +- exec $BASEDIR/configure.server $* ++ exec $BASEDIR/configure.server "$@" || exit 1 ;; "--help") |