Debian Security Advisory 3495-1

Debian Security Advisory 3495-1: Posted Feb 29, 2016; Authored by Debian | Site debian.org; Debian Linux Security Advisory 3495-1 - Markus Krell discovered that xymon, a network and applications monitoring system, was vulnerable to incorrect data handling, incorrect permissions, and various other security issues.; tags | advisory; systems | linux, debian; advisories | CVE-2016-2054, CVE-2016-2055, CVE-2016-2056, CVE-2016-2057, CVE-2016-2058; SHA-256 | 53a0dba24a61cd8d8b2c08030f630e1b8f8ff722b419c80f9a8acbed492ce294; Download | Favorite | View

Debian Security Advisory 3495-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3495-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 29, 2016                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xymon
CVE ID         : CVE-2016-2054 CVE-2016-2055 CVE-2016-2056 CVE-2016-2057 
                 CVE-2016-2058

Markus Krell discovered that xymon, a network- and
applications-monitoring system, was vulnerable to the following
security issues:

CVE-2016-2054

  The incorrect handling of user-supplied input in the "config"
  command can trigger a stack-based buffer overflow, resulting in
  denial of service (via application crash) or remote code execution.

CVE-2016-2055

  The incorrect handling of user-supplied input in the "config"
  command can lead to an information leak by serving sensitive
  configuration files to a remote user.

CVE-2016-2056

  The commands handling password management do not properly validate
  user-supplied input, and are thus vulnerable to shell command
  injection by a remote user.

CVE-2016-2057

  Incorrect permissions on an internal queuing system allow a user
  with a local account on the xymon master server to bypass all
  network-based access control lists, and thus inject messages
  directly into xymon.

CVE-2016-2058

  Incorrect escaping of user-supplied input in status webpages can
  be used to trigger reflected cross-site scripting attacks.

For the stable distribution (jessie), these problems have been fixed in
version 4.3.17-6+deb8u1.

We recommend that you upgrade your xymon packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJW1BdEAAoJEBC+iYPz1Z1kiDQH/RH5jrrLqPp7dEvfrqldNul/
rCHZFIY/7go8qaETNpIx9ctQtAUWS4Z7JU/kv5Al1gkPSML5RoKi2jxUS87lgZVu
EuF9MoKp/N5czX0RYLDHIcI3SHCvOx7iCep+hgFO5xGoI7FwEVsCPRYlFuD9akwa
S7vI9yEIRQL5VmKsZwEerrODDJ0WmO7z1kCgfWOe+1Oaw9e8ijONi6fpZAAsru5e
Y8V8gU7l1s1ShwQmWtac5rBl1QZbhrm6q9Dkxsqadc89aAGGsRsbKYBrGitsOwhK
PkefbW6XeZjHRsKiWHvifpdY5beq9J19rX8B4CbfnDw7Ec9+2OIb8fPxI5hFZ0Q=
=SdgU
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 268 files
indoushka 153 files
Jay Turla 150 files
Ubuntu 66 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
Gentoo 33 files
H D Moore 31 files
Debian 29 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,116)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,039)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,710)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,802)
UNIX (9,448)
UnixWare (187)
Windows (6,762)
Other

Debian Security Advisory 3495-1

Debian Security Advisory 3495-1

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Debian Security Advisory 3495-1

Share This

Debian Security Advisory 3495-1

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems