@jjtrash According to the changelog [1] and the Debian CVE database [2], it seems that monit CLI issues its commands to monit thru an HTTP server that can be accessible from outside. The security patch tries to leverage it by adding a CSRF token to the HTTP call. Without it may be possible to send commands to monit with a curl from outside.
But, by default this HTTP server, unless configured to do so, binds only to 127.0.0.1, in this case for a non-shared server should be safe. * [1] http://changelogs.ubuntu.com/changelogs/pool/universe/m/monit/monit_5.16-2ubuntu0.1/changelog * [2] https://security-tracker.debian.org/tracker/CVE-2016-7067 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786910 Title: Latest patch breaks command line 'restart all' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monit/+bug/1786910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
