kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/net/xymon
History
spz 047bb6ad21 update of xymon and xymonclient from 4.3.17 to 4.3.25 
The following security issues are fixed with this update:
* Resolve buffer overflow when handling "config" file requests (CVE-2016-2054)
* Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory
  (symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename
  end in '.cfg' by default
* Resolve shell command injection vulnerability in useradm and chpasswd CGIs
  (CVE-2016-2056)
* Tighten permissions on the xymond BFQ used for message submission to restrict
  access to the xymon user and group. It is now 0620. (CVE-2016-2057)
* Restrict javascript execution in current and historical status messages by
  the addition of appropriate Content-Security-Policy headers to prevent XSS
  attacks. (CVE-2016-2058)
* Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script.
  Thank you to Mark Felder for noting the impact and Martin Lenko
  for the original patch.
* Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by
  eliminating the shell script CGI wrappers

Please refer to
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download
for further information on fixes and new features.
2016-02-16 05:58:56 +00:00
..
files
patches update of xymon and xymonclient from 4.3.17 to 4.3.25 2016-02-16 05:58:56 +00:00
DEINSTALL
DESCR
distinfo update of xymon and xymonclient from 4.3.17 to 4.3.25 2016-02-16 05:58:56 +00:00
INSTALL
Makefile update of xymon and xymonclient from 4.3.17 to 4.3.25 2016-02-16 05:58:56 +00:00
MESSAGE
options.mk
PLIST update of xymon and xymonclient from 4.3.17 to 4.3.25 2016-02-16 05:58:56 +00:00