Bug#865497: marked as done (check-mk: CVE-2017-9781: reflected XSS in webapi.py)

2017-10-06 Thread Debian Bug Tracking System 
Your message dated Fri, 06 Oct 2017 21:05:09 +
with message-id 
and subject line Bug#865497: fixed in check-mk 1.2.8p26-1
has caused the Debian Bug report #865497,
regarding check-mk: CVE-2017-9781: reflected XSS in webapi.py
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
865497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865497
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: check-mk
Version: 1.2.8p16-1
Severity: grave
Tags: patch upstream security
Justification: user security hole

Hi,

the following vulnerability was published for check-mk.

CVE-2017-9781[0]:
| A cross site scripting (XSS) vulnerability exists in Check_MK versions
| 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to
| inject arbitrary HTML or JavaScript via the _username parameter when
| attempting authentication to webapi.py, which is returned unencoded
| with content type text/html.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: check-mk
Source-Version: 1.2.8p26-1

We believe that the bug you reported is fixed in the latest version of
check-mk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matt Taggart  (supplier of updated check-mk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 06 Oct 2017 09:59:26 -0700
Source: check-mk
Binary: check-mk-agent check-mk-agent-logwatch check-mk-server 
check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc
Architecture: source all amd64
Version: 1.2.8p26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Nagios Maintainer Group 

Changed-By: Matt Taggart 
Description:
 check-mk-agent - general purpose monitoring plugin for retrieving data
 check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data
 check-mk-config-icinga - general purpose monitoring plugin for retrieving data
 check-mk-doc - general purpose monitoring plugin for retrieving data 
(documentat
 check-mk-livestatus - general purpose monitoring plugin for retrieving data
 check-mk-multisite - general purpose monitoring plugin for retrieving data
 check-mk-server - general purpose monitoring plugin for retrieving data
Closes: 865497
Changes:
 check-mk (1.2.8p26-1) unstable; urgency=medium
 .
   * new upstream release
   * fixes CVE-2017-9781 (Closes: #865497)
Checksums-Sha1:
 8fe875d6ab255464e4b8d416953b84e4f9277a96 2598 check-mk_1.2.8p26-1.dsc
 8140b1641cb78d0729d6006acfff3b7d407e972f 11335620 check-mk_1.2.8p26.orig.tar.gz
 345e1c91a97a48d923d52e7a8dcfba4217aa5550 11827 check-mk_1.2.8p26-1.diff.gz
 922a06c89ba6cd55664843dd8b53bfdebbde265e 189380 
check-mk-agent-logwatch_1.2.8p26-1_all.deb
 a49df06b82eeaa36df0341c6f70222967b9f047b 195682 
check-mk-agent_1.2.8p26-1_amd64.deb
 28c1af72164ce3f56f0f7d5c7c8c598133b5127b 192774 
check-mk-config-icinga_1.2.8p26-1_amd64.deb
 e1305f2f40c3bf7dc767b3f1d78d858c7e6d3be2 1220494 
check-mk-doc_1.2.8p26-1_all.deb
 8ef3ebe1da0db68e8768f59f9d60b6d661b788ee 6966 
check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb
 7bbe53226062ee0799d7f76ca439aa527ed325e3 473596 
check-mk-livestatus_1.2.8p26-1_amd64.deb
 382f323a3e55996b68a59992edef80736714ae2e 3528056 
check-mk-multisite_1.2.8p26-1_amd64.deb
 df676140d5108de4dc37e23f7fab24f1704217c8 1072598 
check-mk-server_1.2.8p26-1_amd64.deb
 f881e41c9ff069d93652e33fdc174f19b52d52cb 7963 
check-mk_1.2.8p26-1_amd64.buildinfo
Checksums-Sha256:
 5192acf8e2b16a9c8e371f0864a857da84781e8e0d3e6304d624666852d170fc 2598 
check-mk_1.2.8p26-1.dsc
 4e45d080fa838f75faf71e7cf7634224e055201cb8fc86b0a85274e2adc40239 11335620 
check-mk_1.2.8p26.orig.tar.gz

Bug#865497: marked as done (check-mk: CVE-2017-9781: reflected XSS in webapi.py)

2017-09-20 Thread Debian Bug Tracking System 
Your message dated Wed, 20 Sep 2017 07:00:14 +
with message-id 
and subject line Bug#865497: fixed in check-mk 1.4.0p9-1
has caused the Debian Bug report #865497,
regarding check-mk: CVE-2017-9781: reflected XSS in webapi.py
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
865497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865497
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: check-mk
Version: 1.2.8p16-1
Severity: grave
Tags: patch upstream security
Justification: user security hole

Hi,

the following vulnerability was published for check-mk.

CVE-2017-9781[0]:
| A cross site scripting (XSS) vulnerability exists in Check_MK versions
| 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to
| inject arbitrary HTML or JavaScript via the _username parameter when
| attempting authentication to webapi.py, which is returned unencoded
| with content type text/html.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: check-mk
Source-Version: 1.4.0p9-1

We believe that the bug you reported is fixed in the latest version of
check-mk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matt Taggart  (supplier of updated check-mk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 22 Jun 2017 15:44:37 -0700
Source: check-mk
Binary: check-mk-agent check-mk-agent-logwatch check-mk-server 
check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc 
check-mk-common check-mk-monitoring-plugins
Architecture: source all amd64
Version: 1.4.0p9-1
Distribution: experimental
Urgency: high
Maintainer: Debian Nagios Maintainer Group 

Changed-By: Matt Taggart 
Description:
 check-mk-agent - general purpose monitoring plugin for retrieving data
 check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data
 check-mk-common - general purpose monitoring plugin for retrieving data 
(common lib
 check-mk-config-icinga - general purpose monitoring plugin for retrieving data
 check-mk-doc - general purpose monitoring plugin for retrieving data 
(documentat
 check-mk-livestatus - general purpose monitoring plugin for retrieving data
 check-mk-monitoring-plugins - general purpose monitoring plugin for retrieving 
data (monitoring
 check-mk-multisite - general purpose monitoring plugin for retrieving data
 check-mk-server - general purpose monitoring plugin for retrieving data
Closes: 865497
Changes:
 check-mk (1.4.0p9-1) experimental; urgency=high
 .
   * new upstream release
   * fixes CVE-2017-9781 (Closes: #865497)
   * move to the way upstream now does defaults
   * add new librrd-dev, libboost-dev, libboost-system-dev, g++-6 build-deps
   * new -common package for private python libs
Checksums-Sha1:
 5c431d542e1ae9276f7959af6e9c290c8925540b 2811 check-mk_1.4.0p9-1.dsc
 00d4c64f2051e8f432d9e0df7d5d5bcf2a6a00e0 22948802 check-mk_1.4.0p9.orig.tar.gz
 4ce803f8d0a55e23c564d2e5865c26557312f7a0 13929 check-mk_1.4.0p9-1.diff.gz
 ef3997b2ce59252627f3710099a44c799ed5a878 208186 
check-mk-agent-logwatch_1.4.0p9-1_all.deb
 1fe35779e21d44c24a94747691839f9f30659f5e 215670 
check-mk-agent_1.4.0p9-1_amd64.deb
 327a5ec94f795a65f48e8f735b47eba6e8ad9579 238758 
check-mk-common_1.4.0p9-1_all.deb
 5a89caace1dd5ff52cd75a65d218a91800cba12b 211144 
check-mk-config-icinga_1.4.0p9-1_amd64.deb
 ff63b5cdfcefaeda322c336b5f582b3ef5474b1e 990782 check-mk-doc_1.4.0p9-1_all.deb
 2b40e942a44956d05915e3ffc2b1097c33a1 90412 
check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb
 78b6f1d7d6446e2fb638e428f9378fefa02b79c1 969002 
check-mk-livestatus_1.4.0p9-1_amd64.deb
 ef2a2017a8aaacdc718b7a2e3e092412bb0a6b62 227060