Your message dated Fri, 06 Oct 2017 21:05:09 +0000
with message-id <e1e0znx-0004ds...@fasolo.debian.org>
and subject line Bug#865497: fixed in check-mk 1.2.8p26-1
has caused the Debian Bug report #865497,
regarding check-mk: CVE-2017-9781: reflected XSS in webapi.py
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
865497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865497
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: check-mk
Version: 1.2.8p16-1
Severity: grave
Tags: patch upstream security
Justification: user security hole
Hi,
the following vulnerability was published for check-mk.
CVE-2017-9781[0]:
| A cross site scripting (XSS) vulnerability exists in Check_MK versions
| 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to
| inject arbitrary HTML or JavaScript via the _username parameter when
| attempting authentication to webapi.py, which is returned unencoded
| with content type text/html.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: check-mk
Source-Version: 1.2.8p26-1
We believe that the bug you reported is fixed in the latest version of
check-mk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matt Taggart <tagg...@debian.org> (supplier of updated check-mk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Oct 2017 09:59:26 -0700
Source: check-mk
Binary: check-mk-agent check-mk-agent-logwatch check-mk-server
check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc
Architecture: source all amd64
Version: 1.2.8p26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Nagios Maintainer Group
<pkg-nagios-de...@lists.alioth.debian.org>
Changed-By: Matt Taggart <tagg...@debian.org>
Description:
check-mk-agent - general purpose monitoring plugin for retrieving data
check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data
check-mk-config-icinga - general purpose monitoring plugin for retrieving data
check-mk-doc - general purpose monitoring plugin for retrieving data
(documentat
check-mk-livestatus - general purpose monitoring plugin for retrieving data
check-mk-multisite - general purpose monitoring plugin for retrieving data
check-mk-server - general purpose monitoring plugin for retrieving data
Closes: 865497
Changes:
check-mk (1.2.8p26-1) unstable; urgency=medium
.
* new upstream release
* fixes CVE-2017-9781 (Closes: #865497)
Checksums-Sha1:
8fe875d6ab255464e4b8d416953b84e4f9277a96 2598 check-mk_1.2.8p26-1.dsc
8140b1641cb78d0729d6006acfff3b7d407e972f 11335620 check-mk_1.2.8p26.orig.tar.gz
345e1c91a97a48d923d52e7a8dcfba4217aa5550 11827 check-mk_1.2.8p26-1.diff.gz
922a06c89ba6cd55664843dd8b53bfdebbde265e 189380
check-mk-agent-logwatch_1.2.8p26-1_all.deb
a49df06b82eeaa36df0341c6f70222967b9f047b 195682
check-mk-agent_1.2.8p26-1_amd64.deb
28c1af72164ce3f56f0f7d5c7c8c598133b5127b 192774
check-mk-config-icinga_1.2.8p26-1_amd64.deb
e1305f2f40c3bf7dc767b3f1d78d858c7e6d3be2 1220494
check-mk-doc_1.2.8p26-1_all.deb
8ef3ebe1da0db68e8768f59f9d60b6d661b788ee 6966
check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb
7bbe53226062ee0799d7f76ca439aa527ed325e3 473596
check-mk-livestatus_1.2.8p26-1_amd64.deb
382f323a3e55996b68a59992edef80736714ae2e 3528056
check-mk-multisite_1.2.8p26-1_amd64.deb
df676140d5108de4dc37e23f7fab24f1704217c8 1072598
check-mk-server_1.2.8p26-1_amd64.deb
f881e41c9ff069d93652e33fdc174f19b52d52cb 7963
check-mk_1.2.8p26-1_amd64.buildinfo
Checksums-Sha256:
5192acf8e2b16a9c8e371f0864a857da84781e8e0d3e6304d624666852d170fc 2598
check-mk_1.2.8p26-1.dsc
4e45d080fa838f75faf71e7cf7634224e055201cb8fc86b0a85274e2adc40239 11335620
check-mk_1.2.8p26.orig.tar.gz
cf77dab5d7ab667decab6031e87bed66756156acd0be2d5e680c002be7375a45 11827
check-mk_1.2.8p26-1.diff.gz
acfd69b30ee88b9c0fcf7e2d494e05cc93c765e6b55198de92b8b45673c264f3 189380
check-mk-agent-logwatch_1.2.8p26-1_all.deb
eaaf48dbdf739c296868bb2f368c7d64a6b27b8ec63ac8bfdc136f14423aeddd 195682
check-mk-agent_1.2.8p26-1_amd64.deb
4d2a9ad25ef885ea63e83f2032c3836f65fa1e18f08b8aaafe072ba39c531d2c 192774
check-mk-config-icinga_1.2.8p26-1_amd64.deb
741b02ca56e32d28c4194730dec818b9e6412b8847894220b833e831b55ca19f 1220494
check-mk-doc_1.2.8p26-1_all.deb
0d0b892255bed66d741228ca199f85100d436247afd7fee2fb4c30b6e721f667 6966
check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb
0197758146a384ff3829976cd7e577f28aed88601ddf3aba9a757efcb2b71aab 473596
check-mk-livestatus_1.2.8p26-1_amd64.deb
fa02b7f7a48810ae480fa50d5c46ce566b16e2eed5a39ab5e9d387782ed1c77d 3528056
check-mk-multisite_1.2.8p26-1_amd64.deb
4e76dbb82bf60b667b70bca96b5ed499f7943fe66648030e05d9c5c8b816b450 1072598
check-mk-server_1.2.8p26-1_amd64.deb
6306aeca745daf24e55b2aa984ecf65e5d4309ddc0fada8f862a6dccbc81b56e 7963
check-mk_1.2.8p26-1_amd64.buildinfo
Files:
f22235b029e7d33fa590a537704a45ae 2598 admin optional check-mk_1.2.8p26-1.dsc
f4f18538cfe9fbcaf43526c42d38fb2c 11335620 admin optional
check-mk_1.2.8p26.orig.tar.gz
eb85b2021b29a57a13be38ee5c54a553 11827 admin optional
check-mk_1.2.8p26-1.diff.gz
039d5b70a0c5b802f4dcf9ee6448b156 189380 admin optional
check-mk-agent-logwatch_1.2.8p26-1_all.deb
ce194baea5ddd0f12f51fa0782ff483e 195682 admin optional
check-mk-agent_1.2.8p26-1_amd64.deb
584ea4ed2a06566bc00965dd4fea9469 192774 admin optional
check-mk-config-icinga_1.2.8p26-1_amd64.deb
1b0fcb37d03a3ff818bdd96bbdde5682 1220494 doc optional
check-mk-doc_1.2.8p26-1_all.deb
cf0c3dffc0984e3df6d8888ebc379efc 6966 debug optional
check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb
60f90006507552e4e7bb521041dac479 473596 admin optional
check-mk-livestatus_1.2.8p26-1_amd64.deb
35a7c711dc17589d402514c2aace4b60 3528056 admin optional
check-mk-multisite_1.2.8p26-1_amd64.deb
7526fe4eb1d67f87ca22fbf0d065f18c 1072598 admin optional
check-mk-server_1.2.8p26-1_amd64.deb
012dd442b0d97e4f75df76331bab109b 7963 admin optional
check-mk_1.2.8p26-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEAOfLnhAhA4PS/SRZqmjsyOmACVMFAlnX2UVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDAw
RTdDQjlFMTAyMTAzODNEMkZEMjQ1OUFBNjhFQ0M4RTk4MDA5NTMACgkQqmjsyOmA
CVPJHw/+JRQf4W7oOlB5kGNE7zT7IZGuBHk0g3onGvRFbT5h2D4nZIiOcCUS0vuI
/mefxPEuo19KKZk2fz4XI4vKSPWcp1htDWTGBmwBUEvyrsDKmASJwWoYRp8gsyzS
OYNUqPOcTKZbzkOxxpnVfCYt0I1gDG7NePkwloqrHh3m3CZ31pmJWJmyE+LqQzMY
HYyLEQjA3SASaQGHE4QKjx6xw65v1SuSLrTl45mb7r0a48nKM6ARqj/fCi7ANkCX
4cBlNB2IbCeNkgcwif0aZkEjGwSpBAqsxwJXGhuec2ePl8CSpcud+B9pUmzzsPdh
g4SbbLFG7xfs84kDRj1yY88L3YQgs7JnODpQOxs1OIf42xp2zUTef2pM6DsdU+YD
/ksCSS7dplomQyt2UnlyXaHyy8FvURRk77nYUeZPc4+EcO5hHMS/7/59BzzLihAc
QbiBvN7L31DoZM+A7PTohLwoHF5K+/3+hVED1W29ifkxxrGkwsGvT3Aj6VDelLTn
UuIGmU2vJSGeOjEqsrH2AC2safyTQnV6PDreKXlwhqAcWba7rxyHmubodvf94jbP
2UNkSvh2G1/uzbGUH1SdQ3mSWVUwbD9Yw49a3qSQhFnleqQ+pzahQv3rd+Yorp7R
LXE5EoRSyq7BJPtcoPM19naEG375johizZkUkcL9ChxmiVUzgkQ=
=f72p
-----END PGP SIGNATURE-----
--- End Message ---
