On 10/06/2017 02:28 PM, Salvatore Bonaccorso wrote:
Control: notfixed -1 1.2.8p26-1
Hi!
On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote:
This is an automatic notification regarding your Bug report
which was filed against the src:check-mk package:
#865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py
I looked up the source for 1.2.8p26-1.
The fix for CVE-2017-9781 is
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
which does not yet seem to be applied to 1.2.8p26-1?
Can you please double-check?
Note, there is a second CVE now for check-mk, that one got addressed
in 1.2.8p26, but it's not clear yet in which version in was
introduced.
Hi,
You are right, the fix for CVE-2017-9781, which upstream calls "werk
#4757" is _not_ in 1.2.8p26. I was confused with upstream #5208 when I
wrote the changelog that closed the bug.
Upstream lists the following security related fixes for 1.2.8
==============================================================
#5208
http://mathias-kettner.com/check_mk_werks.php?werk_id=5208&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=673360408b90f99bd54cf936091cff08d979a057
#4902
http://mathias-kettner.com/check_mk_werks.php?werk_id=4902&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=96e39a0f024d9b2b521576c1eb71aca7fb3e818d
#7661 (fixed in 1.4.0p8, supposedly fixed in 1.2.8p25?)
http://mathias-kettner.com/check_mk_werks.php?werk_id=7661&HTML=yes
#7631
http://mathias-kettner.com/check_mk_werks.php?werk_id=7631&HTML=yes
#3970 (fixed in 1.2.8p14)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3970&HTML=yes
#3855 (fixed in 1.2.8p11)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3855&HTML=yes
#3743 (fixed in 1.2.8p10)
http://mathias-kettner.com/check_mk_werks.php?werk_id=3743&HTML=yes
Full list of changes for 1.2.8p26
=================================
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8&version=1.2.8p26&HTML=yes
Full list of changes for 1.4.0p14
=================================
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.4.0&version=1.4.0p14&HTML=yes
which additionally lists
#4757 (as you mentioned above, fixed in 1.4.0p6)
http://mathias-kettner.com/check_mk_werks.php?werk_id=4757&HTML=yes
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f549502244a60146ed6831dc3473f2a
#7643 (only in 1.4 and newer)
http://mathias-kettner.com/check_mk_werks.php?werk_id=7643&HTML=yes
So I think the Debian 1.2.8p16 package is only missing #4757.
I will ask upstream if they intend to fix #4757 in the 1.2.8 series.
Unfortunately due to how the upstream tarball/build works, it is tricky
to patch upstream files. If upstream doesn't intend to include this fix
I can generate a patch to make it work.
I had started working on packaging 1.4.0 as a way to fix these security
bugs (and even did an upload to experimental) but I recently learned
from upstream that:
"The use of Check_MK without OMD environment and customization of paths
is explicitly not supported anymore."
ie you can't use check-mk stand-alone, you have to use OMD (and
livestatus/WATO/multisite, the whole stack) and you have to use
upstream's installer to upstream's paths. It's very much the "network
appliance" model (or flatpak, docker image, etc)
I don't know if we'll be able to make this work in Debian. (not to
mention that nagios is gone and icinga1 will go away at some point)
That prompted me to go back to 1.2.8 and package the latest release
there in order to at least have something working without the security bugs.
--
Matt Taggart
tagg...@debian.org