Re: [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes
Hi, I think I've sent an email about this many months ago. Now after the update, this is the output from skipfish: Summary: The application is missing the 'httpOnly' cookie attribute Vulnerability Detection Result: The cookies ... are missing the httpOnly attribute. Impact: Application Solution: Set the 'httpOnly' attribute for any session cookies. Affected Software/OS: Application with session handling in cookies. Vulnerability Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijac! king attacks. Vulnerability Detection Method: Check all cookies sent by the application for a missing 'httpOnly' attribute Details: Missing httpOnly Cookie Attribute Thanks Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro From: Vladimir Vuksan [vli...@veus.hr] Sent: 28 May 2015 22:57 To: Cristovao Cordeiro; ganglia-develop...@lists.sourceforge.net; Ganglia Subject: Re: [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes Is there an issue open for this and what are the details ? Vladimir On 05/28/2015 04:40 AM, Cristovao Cordeiro wrote: Hi all, was this issue addressed: NVT: Missing httpOnly Cookie Attribute OID: 1.3.6.1.4.1.25623.1.0.105925 Threat: Medium (CVSS: 5.0) Port: 80/tcp Because after updating I still have it. Any idea on how to solve it? Thanks Cumprimentos / Best regards, Cristóvão José Domingues Cordeiro IT Department - 28/R-018 CERN From: Vladimir Vuksan [vli...@veus.hrmailto:vli...@veus.hr] Sent: 21 May 2015 20:22 To: ganglia-develop...@lists.sourceforge.netmailto:ganglia-develop...@lists.sourceforge.net; Ganglia Subject: [Ganglia-general] Ganglia-Web 3.7.0 released - includes security fixes Hi all, Ganglia Web 3.7.0 has been released. Major highlights are * Cubism integration https://github.com/ganglia/ganglia-web/wiki/Cubism-integration * Ganglia Reporting https://github.com/ganglia/ganglia-web/wiki/Ganglia-Reports * Couple reported XSS issues have been corrected If you are running Ganglia Web on a publicly accessible server you are strongly advised to upgrade ASAP. You can download latest release from here https://sourceforge.net/projects/ganglia/files/ganglia-web/ Installation instructions can be found here https://github.com/ganglia/ganglia-web/wiki#Installation Vladimir -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
Re: [Ganglia-general] [Ganglia-developers] Ganglia-Web 3.7.0 released - includes security fixes
Vladimir and all: Since it's not easy to setup the env of ganglia webfrontend, I tried to add a trouble-shooting part for the wikipage of ganglia-web as following: == Trouble shooting == * you need to copy `/var/www/ganglia2/apache.conf` (Ubuntu/Debian) or `/var/www/html/ganglia2/apache.conf` (CentOS/RHEL) to `/etc/apache2/sites-enabled`. * In most cases, you need to modify the above apache.conf to make sure the alias /ganglia refers to `/var/www/ganglia2` (Ubuntu/Debian) or `/var/www/html/gangla2` (CentOS/RHEL) . * In most cases, you need to modify `/var/www/ganglia2/conf_default.php` (Ubuntu/Debian) or `/var/www/html/ganglia2` (CentOS/RHEL) to make sure `gweb_confdir` refers to the directory where the directories of `conf` and `dwoo` locate in, such as `/var/lib/ganglia-web` or `/var/lib/ganglia`. * Make sure you have the dir of rrds under `gmetad_root`. * Make sure the above rrds dir should be owned by the user of `nobody`. If you guys think this is not bad, how could I push it into the wikipage? Seems that's not the same process as to submit a patch to the sourcecode. Thank you, -jack -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
[Ganglia-general] GMOND + SFLOWD functionality
Hi Vladimir, This is very serious question - is GMOND supposed to retransmit metrics received from the local HSFLOWD agent or it just saves them locally for further retrieving via TCP connection? What is the initial project for this? Thanks! Serfey Vinnik -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
[Ganglia-general] error while installing ganglia gmeatd service.
Dear Team, I am trying to install Ganglia 3.6.0 in RHEL 5.5 vm, I have installed confuse and rrdtool the I tried to install gmetad service, I have got below error then it's terminated. checking for cfg_parse in -lconfuse... no Trying harder including gettext checking for cfg_parse in -lconfuse... no Trying harder including iconv checking for cfg_parse in -lconfuse... no libconfuse not found Please help me out to fix this issue. Thanks, Pradeep -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
Re: [Ganglia-general] error while installing ganglia gmeatd service.
You need libconfuse library. Vladimir On 05/29/2015 02:34 PM, Pradeep K wrote: Dear Team, I am trying to install Ganglia 3.6.0 in RHEL 5.5 vm, I have installed confuse and rrdtool the I tried to install gmetad service, I have got below error then it's terminated. checking for cfg_parse in -lconfuse... no Trying harder including gettext checking for cfg_parse in -lconfuse... no Trying harder including iconv checking for cfg_parse in -lconfuse... no libconfuse not found Please help me out to fix this issue.o install Ganglia 3.6.0 in RHEL 5.5 vm, I have installed confuse and rrdtool the I tried to install gmetad serv Thanks, Pradeep -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
Re: [Ganglia-general] [Ganglia-developers] Ganglia-Web 3.7.0 released - includes security fixes
Thanks Jack. I have integrated your changes into the installation Wiki. Vladimir On 05/29/2015 05:16 AM, linu...@linux.vnet.ibm.com wrote: Vladimir and all: Since it's not easy to setup the env of ganglia webfrontend, I tried to add a trouble-shooting part for the wikipage of ganglia-web as following: == Trouble shooting == * you need to copy `/var/www/ganglia2/apache.conf` (Ubuntu/Debian) or `/var/www/html/ganglia2/apache.conf` (CentOS/RHEL) to `/etc/apache2/sites-enabled`. * In most cases, you need to modify the above apache.conf to make sure the alias /ganglia refers to `/var/www/ganglia2` (Ubuntu/Debian) or `/var/www/html/gangla2` (CentOS/RHEL) . * In most cases, you need to modify `/var/www/ganglia2/conf_default.php` (Ubuntu/Debian) or `/var/www/html/ganglia2` (CentOS/RHEL) to make sure `gweb_confdir` refers to the directory where the directories of `conf` and `dwoo` locate in, such as `/var/lib/ganglia-web` or `/var/lib/ganglia`. * Make sure you have the dir of rrds under `gmetad_root`. * Make sure the above rrds dir should be owned by the user of `nobody`. If you guys think this is not bad, how could I push it into the wikipage? Seems that's not the same process as to submit a patch to the sourcecode. Thank you, -jack -- ___ Ganglia-general mailing list Ganglia-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-general
