[Pkg-nagios-devel] Bug#865497: Wheezy update of check-mk?

Raphael Hertzog hertzog at debian.org
Thu Jun 22 08:41:14 UTC 2017 

Hello Matt,

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of check-mk:
https://security-tracker.debian.org/tracker/CVE-2017-9781

Would you like to take care of this yourself?

The code in wheezy is different from the 1.4.x version which has been
patched upstream but I believe that a similar issue must exist since
I have seen no HTML escaping in any code showing errors.

That said it really depends on whether user input ends
up in the error message associated to the various exceptions
and it's hard to tell from a quick look at the code without trying.

The traceback itself seems to be output in <pre>%s</pre> but that doesn't
prevent XSS.

In any case, if you mant to handle this yourself, please follow the
workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts at lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of check-mk updates
for the LTS releases.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

More information about the Pkg-nagios-devel mailing list