Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Apr 2012 18:23:46 -0700
From: Kenyon Ralph <kenyon@...yonralph.com>
To: Kurt Seifried <kseifried@...hat.com>, 668667@...s.debian.org
Cc: oss-security@...ts.openwall.com, Helmut Grohne <helmut@...divi.de>,
	Jan Lieskovsky <jlieskov@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: Bug#668667: CVE Request (minor) -- Two Munin
 graphing framework flaws

On 2012-04-18T18:37:09-0600, Kurt Seifried <kseifried@...hat.com> wrote:
> On 04/17/2012 11:16 PM, Helmut Grohne wrote:
> > On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote:
> > > On 04/16/2012 11:34 PM, Helmut Grohne wrote:
> > > > The basic requirement is that a plugin called vmstat is
> > > > configured for the node localhost.localdomain. I just picked it
> > > > as an example, cause it is present on my system. In practise
> > > > any plugin for any host will do.
> > > 
> > > Is this the default configuration?
> > 
> > I am not that sure about the defaults, because I changed them.
> > However running a Munin without any plugins is pointless. It is
> > like running a mail server that does not transport any mail. You
> > don't even have to guess the name of a configured plugin, because
> > those images are linked from the html. Finding a configured plugin
> > is really no issue on any sane munin installation. Sane
> > administrators may have to restricted access to munin to themselves
> > as to not expose the monitoring results to the public though.
> > 
> > Helmut
> 
> If anyone can comment on this (default/not), and if you install a
> plugin does it expose it publicly or does the administrator have to
> enable remote access?

The packaging of munin node determines whether it will install
symlinks for enabling plugins. The packaging of munin master
determines whether a configuration for your httpd is installed and
activated.

On Debian, symlinks to enable plugins are installed by default, and an
apache2 configuration is automatically activated. So, on Debian, if
your httpd is publicly-accessible, the munin pages and CGI will be
publicly-accessible.

-- 
Kenyon Ralph

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ