pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/net
Module Name: pkgsrc
Committed By: spz
Date: Tue Feb 16 05:58:57 UTC 2016
Modified Files:
pkgsrc/net/xymon: Makefile PLIST distinfo
pkgsrc/net/xymon/patches: patch-configure
pkgsrc/net/xymonclient: Makefile distinfo
pkgsrc/net/xymonclient/patches: patch-configure
Log Message:
update of xymon and xymonclient from 4.3.17 to 4.3.25
The following security issues are fixed with this update:
* Resolve buffer overflow when handling "config" file requests (CVE-2016-2054)
* Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory
(symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename
end in '.cfg' by default
* Resolve shell command injection vulnerability in useradm and chpasswd CGIs
(CVE-2016-2056)
* Tighten permissions on the xymond BFQ used for message submission to restrict
access to the xymon user and group. It is now 0620. (CVE-2016-2057)
* Restrict javascript execution in current and historical status messages by
the addition of appropriate Content-Security-Policy headers to prevent XSS
attacks. (CVE-2016-2058)
* Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script.
Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.
* Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by
eliminating the shell script CGI wrappers
Please refer to
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download
for further information on fixes and new features.
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 pkgsrc/net/xymon/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/xymon/PLIST
cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/xymon/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/xymon/patches/patch-configure
cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/xymonclient/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/net/xymonclient/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/xymonclient/patches/patch-configure
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Home |
Main Index |
Thread Index |
Old Index