[Pkg-monitoring-maintainers] Bug#798213: Bug#798213: ganglia-web: CVE-2015-6816: auth bypass
Daniel Pocock
daniel at pocock.pro
Mon Nov 9 12:18:11 UTC 2015
On 08/11/15 18:11, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Sep 06, 2015 at 10:45:29PM +0200, Salvatore Bonaccorso wrote:
>> Source: ganglia-web
>> Version: 3.6.1-1
>> Severity: important
>> Tags: security patch upstream
>>
>> Hi,
>>
>> the following vulnerability was published for ganglia-web.
>>
>> CVE-2015-6816[0]:
>> ganglia-web auth bypass
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2015-6816
>> [1] https://github.com/ganglia/ganglia-web/issues/267
> *ping*?
I did a review of the latest upstream releases (both ganglia-web and the
ganglia agent) and there are some new JavaScript dependencies that need
to be packaged
https://cdnjs.cloudflare.com/ajax/libs/cubism/1.6.0/cubism.v1.min.js
https://cdnjs.cloudflare.com/ajax/libs/protovis/3.3.1/protovis.min.js
https://cdnjs.cloudflare.com/ajax/libs/jstree/3.2.1/jstree.min.js
Given that we have given users of this package a disclaimer[1] about
security support and advised them to protect the web interface with an
ACL or HTTP authentication, how urgent is resolving this bug?
Regards,
Daniel
1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702775
More information about the Pkg-monitoring-maintainers
mailing list