Date: Wed, 18 Apr 2012 18:37:09 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Helmut Grohne <helmut@...divi.de>, Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, 668667@...s.debian.org Subject: Re: CVE Request (minor) -- Two Munin graphing framework flaws -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/17/2012 11:16 PM, Helmut Grohne wrote: > On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote: >> On 04/16/2012 11:34 PM, Helmut Grohne wrote: >>> The basic requirement is that a plugin called vmstat is >>> configured for the node localhost.localdomain. I just picked it >>> as an example, cause it is present on my system. In practise >>> any plugin for any host will do. >> >> Is this the default configuration? > > I am not that sure about the defaults, because I changed them. > However running a Munin without any plugins is pointless. It is > like running a mail server that does not transport any mail. You > don't even have to guess the name of a configured plugin, because > those images are linked from the html. Finding a configured plugin > is really no issue on any sane munin installation. Sane > administrators may have to restricted access to munin to themselves > as to not expose the monitoring results to the public though. > > Helmut If anyone can comment on this (default/not), and if you install a plugin does it expose it publicly or does the administrator have to enable remote access? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPj141AAoJEBYNRVNeJnmT8d8P/A/A0j1ruHMoKQitgRHMoY/o c+BIoadQGo5vqoi+wwbLa7gt2ftUQt88ETYILQmL9VkPmgMr9UGnh86eDk66HRnv vda9+DmVIJ+DfuKsNFQp4uwCr+pwIW+wpCLoB0m2zAuUN0aNYm2wVmKHyRtg6hk6 7dr9lG5464Z5F+qNQqN/x+S0muNklcOL4P0Eu/jxpR8GQSNglU5CVRWUJYJu8Vpv stIPEaQujiSuw0WVM/t42cYBY0zGmZvT4Ar7AREg/ORj+GPxJqgKR/gG8yvI/QTV ffk1xaI7ewvjTo2fmCvyLYzUNgGzR2Ih45GKOzbqY2vxhE2DxLxwRUKwd6ntZjpl qJjidYO4RlSnroQisCjBdscdGgDKdnsDBO3s0mnJ7DxtRUf1CpHX4Ou8v0SeoFxr slE8w1WMF4I7/G1U6ZlZiM62mnM/xYRzwuoCcMzy5S9MvZRiRlMO8UbJyCyBkoct QPFr1eHd6Q5UkGeeyGon9xmjPbEdi0abI0fghHvN8p72OKcKzMq3+HCmW1DhrHK/ V+WbewsEiCemlEhYR5Bk3htDOtfytO71KDUTVKg1w56qLe/kBlUBjc7SgHFWxiYS +f4F+RXaVRi1mAX/qst1Dq9vH78afraPiZvJEBSaon2vR+7uiyYZxf8K/prfz/yn OwKeVEJDB874Z2tBNQ6H =bwVP -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ