Bug#865497: marked as done (check-mk: CVE-2017-9781: reflected XSS in webapi.py)
Your message dated Fri, 06 Oct 2017 21:05:09 + with message-idand subject line Bug#865497: fixed in check-mk 1.2.8p26-1 has caused the Debian Bug report #865497, regarding check-mk: CVE-2017-9781: reflected XSS in webapi.py to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 865497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865497 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: check-mk Version: 1.2.8p16-1 Severity: grave Tags: patch upstream security Justification: user security hole Hi, the following vulnerability was published for check-mk. CVE-2017-9781[0]: | A cross site scripting (XSS) vulnerability exists in Check_MK versions | 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to | inject arbitrary HTML or JavaScript via the _username parameter when | attempting authentication to webapi.py, which is returned unencoded | with content type text/html. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781 Regards, Salvatore --- End Message --- --- Begin Message --- Source: check-mk Source-Version: 1.2.8p26-1 We believe that the bug you reported is fixed in the latest version of check-mk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 865...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matt Taggart (supplier of updated check-mk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 06 Oct 2017 09:59:26 -0700 Source: check-mk Binary: check-mk-agent check-mk-agent-logwatch check-mk-server check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc Architecture: source all amd64 Version: 1.2.8p26-1 Distribution: unstable Urgency: medium Maintainer: Debian Nagios Maintainer Group Changed-By: Matt Taggart Description: check-mk-agent - general purpose monitoring plugin for retrieving data check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data check-mk-config-icinga - general purpose monitoring plugin for retrieving data check-mk-doc - general purpose monitoring plugin for retrieving data (documentat check-mk-livestatus - general purpose monitoring plugin for retrieving data check-mk-multisite - general purpose monitoring plugin for retrieving data check-mk-server - general purpose monitoring plugin for retrieving data Closes: 865497 Changes: check-mk (1.2.8p26-1) unstable; urgency=medium . * new upstream release * fixes CVE-2017-9781 (Closes: #865497) Checksums-Sha1: 8fe875d6ab255464e4b8d416953b84e4f9277a96 2598 check-mk_1.2.8p26-1.dsc 8140b1641cb78d0729d6006acfff3b7d407e972f 11335620 check-mk_1.2.8p26.orig.tar.gz 345e1c91a97a48d923d52e7a8dcfba4217aa5550 11827 check-mk_1.2.8p26-1.diff.gz 922a06c89ba6cd55664843dd8b53bfdebbde265e 189380 check-mk-agent-logwatch_1.2.8p26-1_all.deb a49df06b82eeaa36df0341c6f70222967b9f047b 195682 check-mk-agent_1.2.8p26-1_amd64.deb 28c1af72164ce3f56f0f7d5c7c8c598133b5127b 192774 check-mk-config-icinga_1.2.8p26-1_amd64.deb e1305f2f40c3bf7dc767b3f1d78d858c7e6d3be2 1220494 check-mk-doc_1.2.8p26-1_all.deb 8ef3ebe1da0db68e8768f59f9d60b6d661b788ee 6966 check-mk-livestatus-dbgsym_1.2.8p26-1_amd64.deb 7bbe53226062ee0799d7f76ca439aa527ed325e3 473596 check-mk-livestatus_1.2.8p26-1_amd64.deb 382f323a3e55996b68a59992edef80736714ae2e 3528056 check-mk-multisite_1.2.8p26-1_amd64.deb df676140d5108de4dc37e23f7fab24f1704217c8 1072598 check-mk-server_1.2.8p26-1_amd64.deb f881e41c9ff069d93652e33fdc174f19b52d52cb 7963 check-mk_1.2.8p26-1_amd64.buildinfo Checksums-Sha256: 5192acf8e2b16a9c8e371f0864a857da84781e8e0d3e6304d624666852d170fc 2598 check-mk_1.2.8p26-1.dsc 4e45d080fa838f75faf71e7cf7634224e055201cb8fc86b0a85274e2adc40239 11335620 check-mk_1.2.8p26.orig.tar.gz
Bug#865497: marked as done (check-mk: CVE-2017-9781: reflected XSS in webapi.py)
Your message dated Wed, 20 Sep 2017 07:00:14 + with message-idand subject line Bug#865497: fixed in check-mk 1.4.0p9-1 has caused the Debian Bug report #865497, regarding check-mk: CVE-2017-9781: reflected XSS in webapi.py to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 865497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865497 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: check-mk Version: 1.2.8p16-1 Severity: grave Tags: patch upstream security Justification: user security hole Hi, the following vulnerability was published for check-mk. CVE-2017-9781[0]: | A cross site scripting (XSS) vulnerability exists in Check_MK versions | 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to | inject arbitrary HTML or JavaScript via the _username parameter when | attempting authentication to webapi.py, which is returned unencoded | with content type text/html. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781 Regards, Salvatore --- End Message --- --- Begin Message --- Source: check-mk Source-Version: 1.4.0p9-1 We believe that the bug you reported is fixed in the latest version of check-mk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 865...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matt Taggart (supplier of updated check-mk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 22 Jun 2017 15:44:37 -0700 Source: check-mk Binary: check-mk-agent check-mk-agent-logwatch check-mk-server check-mk-config-icinga check-mk-livestatus check-mk-multisite check-mk-doc check-mk-common check-mk-monitoring-plugins Architecture: source all amd64 Version: 1.4.0p9-1 Distribution: experimental Urgency: high Maintainer: Debian Nagios Maintainer Group Changed-By: Matt Taggart Description: check-mk-agent - general purpose monitoring plugin for retrieving data check-mk-agent-logwatch - general purpose monitoring plugin for retrieving data check-mk-common - general purpose monitoring plugin for retrieving data (common lib check-mk-config-icinga - general purpose monitoring plugin for retrieving data check-mk-doc - general purpose monitoring plugin for retrieving data (documentat check-mk-livestatus - general purpose monitoring plugin for retrieving data check-mk-monitoring-plugins - general purpose monitoring plugin for retrieving data (monitoring check-mk-multisite - general purpose monitoring plugin for retrieving data check-mk-server - general purpose monitoring plugin for retrieving data Closes: 865497 Changes: check-mk (1.4.0p9-1) experimental; urgency=high . * new upstream release * fixes CVE-2017-9781 (Closes: #865497) * move to the way upstream now does defaults * add new librrd-dev, libboost-dev, libboost-system-dev, g++-6 build-deps * new -common package for private python libs Checksums-Sha1: 5c431d542e1ae9276f7959af6e9c290c8925540b 2811 check-mk_1.4.0p9-1.dsc 00d4c64f2051e8f432d9e0df7d5d5bcf2a6a00e0 22948802 check-mk_1.4.0p9.orig.tar.gz 4ce803f8d0a55e23c564d2e5865c26557312f7a0 13929 check-mk_1.4.0p9-1.diff.gz ef3997b2ce59252627f3710099a44c799ed5a878 208186 check-mk-agent-logwatch_1.4.0p9-1_all.deb 1fe35779e21d44c24a94747691839f9f30659f5e 215670 check-mk-agent_1.4.0p9-1_amd64.deb 327a5ec94f795a65f48e8f735b47eba6e8ad9579 238758 check-mk-common_1.4.0p9-1_all.deb 5a89caace1dd5ff52cd75a65d218a91800cba12b 211144 check-mk-config-icinga_1.4.0p9-1_amd64.deb ff63b5cdfcefaeda322c336b5f582b3ef5474b1e 990782 check-mk-doc_1.4.0p9-1_all.deb 2b40e942a44956d05915e3ffc2b1097c33a1 90412 check-mk-livestatus-dbgsym_1.4.0p9-1_amd64.deb 78b6f1d7d6446e2fb638e428f9378fefa02b79c1 969002 check-mk-livestatus_1.4.0p9-1_amd64.deb ef2a2017a8aaacdc718b7a2e3e092412bb0a6b62 227060