Comment 33 for bug 1786910

@jjtrash According to the changelog [1] and the Debian CVE database [2], it seems that monit CLI issues its commands to monit thru an HTTP server that can be accessible from outside. The security patch tries to leverage it by adding a CSRF token to the HTTP call. Without it may be possible to send commands to monit with a curl from outside.

But, by default this HTTP server, unless configured to do so, binds only to 127.0.0.1, in this case for a non-shared server should be safe.

* [1] http://changelogs.ubuntu.com/changelogs/pool/universe/m/monit/monit_5.16-2ubuntu0.1/changelog
* [2] https://security-tracker.debian.org/tracker/CVE-2016-7067