[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #16 from Ricky Elrod --- Been a few months - any update here? Or anything I (as a community member) can do to help with moving this along? :) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Bug 60112 depends on bug 61413, which changed state. Bug 61413 Summary: New instances are stuck in "The certificate retrieved from the master does not match the agent's private key." https://bugzilla.wikimedia.org/show_bug.cgi?id=61413 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #15 from Tim Landscheidt --- *argl* Forgot to test it; now I see the bugs have expired. I'll test it Real Soon Now(TM) and get back to you if there's anything unsurmountable. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Alexandros Kosiaris changed: What|Removed |Added CC||akosia...@wikimedia.org --- Comment #14 from Alexandros Kosiaris --- Hey Tim, have you contacted the Ubuntu security team? Anything we can do to help? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Tim Landscheidt changed: What|Removed |Added Depends on||61413 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #13 from Tim Landscheidt --- No, I don't mind, but I need to test it first at least once :-). I've asked petan for access to the Nagios project on Labs, will set up a new instance there and see if the package I baked works. (Ceterum censeo Debian packaging esse delendam. I simply love Fedora (and other RPM distros) for its cleanliness; on Debian I'm never sure what patches and files end up in the (source) package.) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #12 from Faidon Liambotis --- Hey, that's good stuff! Thanks! Would you mind terribly contacting the Ubuntu security team to offer these code backports? Their usual response is "you're on your own", but if you attach code they might treat it differently, who knows :) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #11 from Tim Landscheidt --- Created attachment 14588 --> https://bugzilla.wikimedia.org/attachment.cgi?id=14588&action=edit Backport fix for CVE-2013-7107. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #10 from Tim Landscheidt --- Created attachment 14587 --> https://bugzilla.wikimedia.org/attachment.cgi?id=14587&action=edit Backport fix for CVE-2013-7108. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #9 from Tim Landscheidt --- Created attachment 14586 --> https://bugzilla.wikimedia.org/attachment.cgi?id=14586&action=edit Backport fix for CVE-2013-7106. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Faidon Liambotis changed: What|Removed |Added CC||fai...@wikimedia.org --- Comment #8 from Faidon Liambotis --- Yes, there are security issues with Icinga that forced us to lock it down temporarily back in December 12th. These are CVE-2013-7106, CVE-2013-7107 & CVE-2013-7108. They are still unfixed in Ubuntu precise (LTS); Icinga is in the universe section, so the Ubuntu security team deals with them on a "best effort" basis (i.e. they might not even update it, at all). The vulnerability status per Ubuntu distribution can be tracked at: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7106.html http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7107.html http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7108.html respectively. Note how they decided to ignore the first one (a CSRF), which shows IMHO a poor judgement from their part. I don't think we can take the time to do a major Icinga version upgrade right now, nor to backport the fixes ourselves. Our current strategy is "wait for Ubuntu", but if anyone wants to help the backporting process (and optionally engage with the Ubuntu security team so others can benefit from that) that'd be awesome. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Andre Klapper changed: What|Removed |Added See Also||https://rt.wikimedia.org/Ti ||cket/Display.html?id=6838 --- Comment #7 from Andre Klapper --- Filed for ops as RT #6838 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #6 from p858snake --- (In reply to comment #4) > Ok. So we used to have Nagios which anyone could have a look at to see what's > wrong. Someone decided to switch to another tool (Icinga). Now it turns out > that that tool has security issues and public access got disabled? Way to > go. IIRC nagois had security issues as well. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Nemo changed: What|Removed |Added CC||federicol...@tiscali.it --- Comment #5 from Nemo --- It's been so since December. Originally I understood it was a matter of days... 2013-12-20 12.31 < whym> icinga.wikimedia.org now requirs authorization from me. Is this how it's intended to be? 2013-12-20 12.39 < paravoid> whym: there are a couple of security vulnerabilities for icinga in the wild, so we've temporarily locked public access https://gerrit.wikimedia.org/r/#/c/100989/ -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Maarten Dammers changed: What|Removed |Added CC||maar...@mdammers.nl --- Comment #4 from Maarten Dammers --- Ok. So we used to have Nagios which anyone could have a look at to see what's wrong. Someone decided to switch to another tool (Icinga). Now it turns out that that tool has security issues and public access got disabled? Way to go. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Tim Landscheidt changed: What|Removed |Added CC||t...@tim-landscheidt.de --- Comment #3 from Tim Landscheidt --- RobH said in #wikimedia-operations that "there are security issues with icinga iirc". -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 p858snake changed: What|Removed |Added Keywords||ops CC||p858sn...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 --- Comment #2 from se4598 --- (In reply to comment #1) yep, logging in with wikitech-acc doesn't work for me. Basically all I expect as answer here is a information why it currently on and when it is expected to be disabled again. (icinga is on neon and this has nothing to do with graphite's apparently pending security review, right? bug 54713#c5) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 60112] Icinga has httpauth on (not accessible for public)
https://bugzilla.wikimedia.org/show_bug.cgi?id=60112 Andre Klapper changed: What|Removed |Added Priority|Unprioritized |Normal See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=54713 --- Comment #1 from Andre Klapper --- Logging in works for me with my a Labs / wikitech.wikimedia.org account, but that might just be because I'm in a specific LDAP group, like bug 54713. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l