Bug#927775: marked as done (monit: CVE-2019-11454 CVE-2019-11455)
Your message dated Mon, 17 Jun 2019 08:48:39 + with message-id and subject line Bug#927775: fixed in monit 1:5.25.2-3+deb10u1 has caused the Debian Bug report #927775, regarding monit: CVE-2019-11454 CVE-2019-11455 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: monit Version: 1:5.25.2-3 Severity: important Tags: security upstream Control: found -1 1:5.20.0-6 Hi, The following vulnerabilities were published for monit. CVE-2019-11454[0]: | Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash | Monit before 5.25.3 allows a remote unauthenticated attacker to | introduce arbitrary JavaScript via manipulation of an unsanitized user | field of the Authorization header for HTTP Basic Authentication, which | is mishandled during an _viewlog operation. CVE-2019-11455[1]: | A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit | before 5.25.3 allows a remote authenticated attacker to retrieve the | contents of adjacent memory via manipulation of GET or POST | parameters. The attacker can also cause a denial of service | (application outage). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11454 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11454 [1] https://security-tracker.debian.org/tracker/CVE-2019-11455 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11455 Regards, Salvatore --- End Message --- --- Begin Message --- Source: monit Source-Version: 1:5.25.2-3+deb10u1 We believe that the bug you reported is fixed in the latest version of monit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 927...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sergey B Kirpichev (supplier of updated monit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 17 Jun 2019 10:57:40 +0300 Source: monit Binary: monit monit-dbgsym Architecture: source amd64 Version: 1:5.25.2-3+deb10u1 Distribution: testing-proposed-updates Urgency: medium Maintainer: Sergey B Kirpichev Changed-By: Sergey B Kirpichev Description: monit - utility for monitoring and managing daemons or similar programs Closes: 927775 Changes: monit (1:5.25.2-3+deb10u1) testing-proposed-updates; urgency=medium . * Backport upstream fixes (Closes: #927775): + CVE-2019-11454 Persistent cross-site scripting (XSS) in http/cervlet.c + CVE-2019-11455 A buffer over-read in Util_urlDecode in util.c Checksums-Sha1: 7b71dc35a7ffc6b4d2d032741a1294713dd1b4df 1927 monit_5.25.2-3+deb10u1.dsc 2111f220f9ffbb2ec08fb69d4bec6ea4364e3fc4 30668 monit_5.25.2-3+deb10u1.debian.tar.xz 17f86c5c21bb6616fa24177940fad7cf86b1f96d 843700 monit-dbgsym_5.25.2-3+deb10u1_amd64.deb 5dff475a61c372f7656fe34c63083921d80859ac 5646 monit_5.25.2-3+deb10u1_amd64.buildinfo 85a20c108b4d5080957a85ef1e1ba4fab7f2cfda 327632 monit_5.25.2-3+deb10u1_amd64.deb Checksums-Sha256: e8fabd3f89d601edf5b823199efe945c624efb33e526dff803544d10fc1925b6 1927 monit_5.25.2-3+deb10u1.dsc 9874d8f6cca5f9a5b094b4e1e3441e0b3b7dd08555a8d6ef15b30260aed0f8a3 30668 monit_5.25.2-3+deb10u1.debian.tar.xz 5234ef9f4c51aacffd2c52e311ab3947873c93546d2904f391e699f7b9ab888c 843700 monit-dbgsym_5.25.2-3+deb10u1_amd64.deb 3b2d1ec88e3f0061135391cb518515413806014e28777619fd8c2c53a1efd351 5646 monit_5.25.2-3+deb10u1_amd64.buildinfo 95a956e182d20e70471f1534ebb2de0ea6c02138e53aa4d551a1ea0e41e08d5a 327632 monit_5.25.2-3+deb10u1_amd64.deb Files: 1bf0f6b4f94a78fc3b76cd9a1631d694 1927 admin optional monit_5.25.2-3+deb10u1.dsc 3b73753bafa52de32cc9d3704e00ea40 30668 admin optional monit_5.25.2-3+deb10u1.debian.tar.xz fb0b1435180817e34eeaafbb70a14b2f 843700 debug optional monit-dbgsym_5.25.2-3+deb10u1_amd64.deb 059fbff6526ad1bc8986a795eafd34a0 5646 admin optional monit_5.25.2-3+deb10u1_amd64.buildinfo 4a803d162088bf3f74184f7650ed56b0 327632
Bug#927775: marked as done (monit: CVE-2019-11454 CVE-2019-11455)
Your message dated Mon, 03 Jun 2019 22:18:46 + with message-id and subject line Bug#927775: fixed in monit 1:5.25.3-1 has caused the Debian Bug report #927775, regarding monit: CVE-2019-11454 CVE-2019-11455 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: monit Version: 1:5.25.2-3 Severity: important Tags: security upstream Control: found -1 1:5.20.0-6 Hi, The following vulnerabilities were published for monit. CVE-2019-11454[0]: | Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash | Monit before 5.25.3 allows a remote unauthenticated attacker to | introduce arbitrary JavaScript via manipulation of an unsanitized user | field of the Authorization header for HTTP Basic Authentication, which | is mishandled during an _viewlog operation. CVE-2019-11455[1]: | A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit | before 5.25.3 allows a remote authenticated attacker to retrieve the | contents of adjacent memory via manipulation of GET or POST | parameters. The attacker can also cause a denial of service | (application outage). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11454 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11454 [1] https://security-tracker.debian.org/tracker/CVE-2019-11455 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11455 Regards, Salvatore --- End Message --- --- Begin Message --- Source: monit Source-Version: 1:5.25.3-1 We believe that the bug you reported is fixed in the latest version of monit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 927...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sergey B Kirpichev (supplier of updated monit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 04 Jun 2019 00:35:25 +0300 Source: monit Binary: monit monit-dbgsym Architecture: source amd64 Version: 1:5.25.3-1 Distribution: unstable Urgency: medium Maintainer: Sergey B Kirpichev Changed-By: Sergey B Kirpichev Description: monit - utility for monitoring and managing daemons or similar programs Closes: 927775 Changes: monit (1:5.25.3-1) unstable; urgency=medium . * New upstream version 5.25.3. Closes: #927775 (CVE-2019-11454 and CVE-2019-11455). * Refresh patches Checksums-Sha1: 8c289f49665f4c2e06fce1619e533535fa8e1759 1895 monit_5.25.3-1.dsc e4a70bf5f0f9ef6d050b73a2f6dc1585fce10cd0 1355925 monit_5.25.3.orig.tar.gz d7d7ccf8e07093e0823123ec523d876e78d313eb 29764 monit_5.25.3-1.debian.tar.xz 1dc62995a0a6b2f90a3e0ae1c27b74a3a1f32d92 849684 monit-dbgsym_5.25.3-1_amd64.deb 45c98f555875ea0ef8fe631bc30ee0abb4f7642b 6187 monit_5.25.3-1_amd64.buildinfo 76d094cfd38f05f436433474991e3be63edd0640 328132 monit_5.25.3-1_amd64.deb Checksums-Sha256: 4a956f91735bd7756038b9c509f49eebea76f93fc35e651c0fbaaab850be16c7 1895 monit_5.25.3-1.dsc c10258c8839d20864d30390e7cbf2ff5e0480a67a6fb80c02aa457d6e3390569 1355925 monit_5.25.3.orig.tar.gz 6addc7a8ee6def2fc6c4f0b9813a23f973741c83d6df8704d476de81685f37c6 29764 monit_5.25.3-1.debian.tar.xz 86a26a8ebae87163efc0ff1fa9fcff3477529b99a93f366877fc4c652a2f476f 849684 monit-dbgsym_5.25.3-1_amd64.deb 63d6b6ae02fe5161586160c2243e18dc002275c6c90c7d7e808eda9a6eb5da18 6187 monit_5.25.3-1_amd64.buildinfo 3f0db91a331041ed5ff2d4660339539c7bbd3fdf2d6c2b83d984db187203299a 328132 monit_5.25.3-1_amd64.deb Files: 970ab39727db140db675c24b4d3a6bd8 1895 admin optional monit_5.25.3-1.dsc 8d91f6e756cca42450ab0815b3086d5b 1355925 admin optional monit_5.25.3.orig.tar.gz 9609012e7897c224969a75817123de8a 29764 admin optional monit_5.25.3-1.debian.tar.xz a8026c3c573067b4ab6d104589ffeaf1 849684 debug optional monit-dbgsym_5.25.3-1_amd64.deb 75f00a26a35a3f0ea0a378e767746598 6187 admin optional monit_5.25.3-1_amd64.buildinfo c73fed2b87b38d611bd876b75e9c2c7a 328132 admin