-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 8 Feb 2016 18:56:24 CET Source: xymon Binary: xymon xymon-client Architecture: source amd64 Version: 4.3.17-6+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Christoph Berg <myon@debian.org> Changed-By: Christoph Berg <myon@debian.org> Description: xymon - monitoring system for systems, networks and applications xymon-client - client for the Xymon network monitor Changes: xymon (4.3.17-6+deb8u1) jessie-security; urgency=high . * Security update. Several issues were reported by Markus Krell: + Resolve buffer overflow when handling "config" file requests (CVE-2016-2054) + Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory (symlinks disallowed). Also, require that the initial filename end in '.cfg' by default. (CVE-2016-2055) + Resolve shell command injection vulnerability in useradm CGI (CVE-2016-2056) + Tighten permissions on the xymond BFQ used for message submission to restrict access to the xymon user and group. It is now 0620. (CVE-2016-2057) + Restrict javascript execution in current and historical status messages by the addition of appropriate Content-Security-Policy headers to prevent XSS attacks. (CVE-2016-2058) Checksums-Sha256: e96ae243805ed37beb38882394b885db3501159e1756e71a03008e52824ed437 2098 xymon_4.3.17-6+deb8u1.dsc ee7a6d30d00818ccd1304f588aeab4b3d1f26527229a83959279376e7bf72fe8 100516 xymon_4.3.17-6+deb8u1.debian.tar.xz 2f254774dfa3bc8b3811c88d3c3332b61e1416c59d9fb999c6425ffc09fc5b7f 2270550 xymon_4.3.17-6+deb8u1_amd64.deb cbea348671731db297bf7711ad0b93b7cc84ec3208c35e1c59cdd6f42668b329 249348 xymon-client_4.3.17-6+deb8u1_amd64.deb fc912efcf7adb7c5d285bf264fa44ae94fefcbeec32b58d7f9a6184fd9ac19d1 2772765 xymon_4.3.17.orig.tar.gz Checksums-Sha1: d1cd9c99170daed6580f24470657c8b2dc98fdbd 2098 xymon_4.3.17-6+deb8u1.dsc 4ec16ae89f497856c2cfedb4113b8db5c49ad66e 100516 xymon_4.3.17-6+deb8u1.debian.tar.xz be7191d6ec96560768dc8dfc737cd42d76800ac5 2270550 xymon_4.3.17-6+deb8u1_amd64.deb b601e9f89fb1c57ced7ce363e8af3dd83a5d6d60 249348 xymon-client_4.3.17-6+deb8u1_amd64.deb 1a8ba9e42f27fe3ce4625be745a41bd16ed2d1f9 2772765 xymon_4.3.17.orig.tar.gz Files: 1d86f670d2aa1c5a8079b38075ca84c2 2098 net extra xymon_4.3.17-6+deb8u1.dsc 89a96f4e4a6b69dfa51f3baffd6d4678 100516 net extra xymon_4.3.17-6+deb8u1.debian.tar.xz 00967e6df9d1dbb8c099e9e366e2f8e4 2270550 net extra xymon_4.3.17-6+deb8u1_amd64.deb 52e1ea4b7d26eee69a7b7ca2bd2c1ff5 249348 net extra xymon-client_4.3.17-6+deb8u1_amd64.deb d8d119a777e7b7204d1292fb27314312 2772765 net extra xymon_4.3.17.orig.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWuNbVAAoJEExaa6sS0qeuRUAP/2XDR5ZQM7LyeNli5VPLJlHF cSz5w/mGhenEpajSlVILQqRZAYuSHhJRDtUYVYJeHeyU+6IKb8m1XqxuqgritwyV 2Nr2u3xnahCjf5GgDSCMvzVN/hp/GfWDCpiKE9dRwiMTWaafmdwS2cj04rBYFQ+t iSL6dcsRx61EO8VssZgLbya65hIMJURIPWgOnEJVNjYFeqQMZwX2/C6UpwygnJO8 IqVtaa8sEIFWp7E+Wm5uzlEgAjsaZzUo0qYMOwOt2k46JA/z75a7HsrNLnFHZDMN wV0x/EhLmHq2ljrtrW03LP+dA5314DN5U+H3230WV7pjacWMOG87V050n5XBXwkN I1Y6xMdhee0vQErT+i9ogoRBzQZuxyWBPXrddnHHsKO/pD2VfZzQ1AWvMz+PWkJb 3lfhggSoCKgXpw2lmqV7ugM1v+9e4V7suz6TPm7d6L+FczyDVSsKrOuP959Wm0fn UfIzmvgMf9JDmg2+VEdvvwFJwbCcDhJPyla6nTYWO2zciw1clWHrxxHYfYnaL6Tg dnO2MckKDbUH2pq9QezeA8aenO7q1NLPA85d9for515T9pL9MqJD2fIsqljgKCL7 VpylqHH24FIq84f4i0O4EV3Az9P95SaAfIX/9hJUsnHJV8hiSxeh6wfc6kY5XzV9 5GTTwcPz5SC1wr1FJnKh =znKl -----END PGP SIGNATURE-----