Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 Apr 2012 18:37:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Helmut Grohne <helmut@...divi.de>, Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>, 668667@...s.debian.org
Subject: Re: CVE Request (minor) -- Two Munin graphing framework
 flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2012 11:16 PM, Helmut Grohne wrote:
> On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote:
>> On 04/16/2012 11:34 PM, Helmut Grohne wrote:
>>> The basic requirement is that a plugin called vmstat is
>>> configured for the node localhost.localdomain. I just picked it
>>> as an example, cause it is present on my system. In practise
>>> any plugin for any host will do.
>> 
>> Is this the default configuration?
> 
> I am not that sure about the defaults, because I changed them.
> However running a Munin without any plugins is pointless. It is
> like running a mail server that does not transport any mail. You
> don't even have to guess the name of a configured plugin, because
> those images are linked from the html. Finding a configured plugin
> is really no issue on any sane munin installation. Sane
> administrators may have to restricted access to munin to themselves
> as to not expose the monitoring results to the public though.
> 
> Helmut

If anyone can comment on this (default/not), and if you install a
plugin does it expose it publicly or does the administrator have to
enable remote access?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPj141AAoJEBYNRVNeJnmT8d8P/A/A0j1ruHMoKQitgRHMoY/o
c+BIoadQGo5vqoi+wwbLa7gt2ftUQt88ETYILQmL9VkPmgMr9UGnh86eDk66HRnv
vda9+DmVIJ+DfuKsNFQp4uwCr+pwIW+wpCLoB0m2zAuUN0aNYm2wVmKHyRtg6hk6
7dr9lG5464Z5F+qNQqN/x+S0muNklcOL4P0Eu/jxpR8GQSNglU5CVRWUJYJu8Vpv
stIPEaQujiSuw0WVM/t42cYBY0zGmZvT4Ar7AREg/ORj+GPxJqgKR/gG8yvI/QTV
ffk1xaI7ewvjTo2fmCvyLYzUNgGzR2Ih45GKOzbqY2vxhE2DxLxwRUKwd6ntZjpl
qJjidYO4RlSnroQisCjBdscdGgDKdnsDBO3s0mnJ7DxtRUf1CpHX4Ou8v0SeoFxr
slE8w1WMF4I7/G1U6ZlZiM62mnM/xYRzwuoCcMzy5S9MvZRiRlMO8UbJyCyBkoct
QPFr1eHd6Q5UkGeeyGon9xmjPbEdi0abI0fghHvN8p72OKcKzMq3+HCmW1DhrHK/
V+WbewsEiCemlEhYR5Bk3htDOtfytO71KDUTVKg1w56qLe/kBlUBjc7SgHFWxiYS
+f4F+RXaVRi1mAX/qst1Dq9vH78afraPiZvJEBSaon2vR+7uiyYZxf8K/prfz/yn
OwKeVEJDB874Z2tBNQ6H
=bwVP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.