@jjtrash According to the changelog [1] and the Debian CVE database [2],
it seems that monit CLI issues its commands to monit thru an HTTP server
that can be accessible from outside. The security patch tries to
leverage it by adding a CSRF token to the HTTP call. Without it may be
possible to send
This is the same patch I mentioned in comment #28
This works for me in a test environment, this is not extensively tested,
however.
** Patch added: "deduplicate 'action=' in CLI http request"
I think all the problem is in the latest CVE-2016-7067.patch which
features this change like this:
- "%s",
+ "securitytoken=%s=%s",
+ token,
the %s comes from a var which already has an "action=" in it
I tried locally