Merge munin 2.0.9-1 (main) from Debian experimental

Bug #1089218 reported by Jeremy Bicha on 2012-12-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
munin (Ubuntu)
Wishlist
Unassigned

Bug Description

Please merge munin 2.0.9-1 (main) from Debian experimental

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: privilege escalation via root running plugins
    - debian/patches/CVE-2012-3512.patch: run each plugin in their own
      state directory in Makefile, Makefile.config,
      node/lib/Munin/Node/{OS,Service}.pm, plugins/lib/Munin/Plugin.pm,
      plugins/node.d/*.in,plugins/node.d.linux/*.in.
    - CVE-2012-3512
  * SECURITY UPDATE: remote code exection via bad arguments
    - debian/patches/CVE-2012-3513.patch: use MUNIN_CONFIG env variable
      instead of @ARGV to specify alternate config file in
      master/_bin/munin-cgi-graph.in, master/_bin/munin-cgi-html.in.
    - debian/patches/CVE-2012-3512-regression.patch: Don't rely on
      MUNIN_PLUGSTATE being in the environment as these scripts also get
      run by a cron job in plugins/node.d.linux/apt_all.in,
      plugins/node.d.linux/apt.in.
    - CVE-2012-3513
  * debian/rules: actually apply quilt patches.
  * debian/Makefile.config: added new plugin state directory location.
  * debian/munin-node.{postinst,postrm}: Switch to new plugin state
    directory.
  * debian/patches/fix_ran_out_of_children.patch:
    - Fix occasional "Ran out of children: No child processes" error messages
      (LP: #1009357).
  * Merge from Debian unstable. Remaining changes:
    - d/munin-node.upstart,munin.upstart: Add upstart configurations.

The security updates are in the new version.
The plugin state changes were applied I believe in 2.0.6-1 or -2.
The remaining diff is just the upstart files and the ran_out_of_children patch

Changelog entries since current raring version 2.0.2-1ubuntu3:

munin (2.0.9-1) experimental; urgency=low

  * New upstream bugfix release(s).
    - Drop all debian/patches/ (except 100-DejaVu-Fonts-Path.patch) as they
      were included in 2.0.7-2.0.9.
  * Remove libcgi-fast-perl from munin's depends.
  * Add libapache2-mod-fcgid to munin's suggests.
  * Support libapache2-mod-fcgid in /etc/munin/apache.conf out of the box
    (Closes: #695228), remove configuration for libapache2-mod-fastcgi as it's
    non-free.
  * debian/rules: set MUNIN_VERSION correctly during build. (Closes: #694527)

 -- Holger Levsen <email address hidden> Tue, 11 Dec 2012 22:33:55 +0100

munin (2.0.6-2) UNRELEASED; urgency=low

  * munin-node.postinst: delete /var/lib/munin(-node)/plugin-state recursively
    on purge. The plugin-state is outdated after a few minutes anyway.
    (Closes: #687715)
  * Fix "/etc/apache2/conf.d/munin removed on upgrade":
    - debian/munin.postinst: create symlink for new installs and also for
      upgrades from versions where it was still removed (up to 1.4.6-3) but
      not re-created (from 1.4.6-1 onwards). Thanks to Gregor Herrman for the
      patch and intrigeri for reviewing. (Closes: #677943)
  * Add documentation for munin-async, thanks to Daniel Black.
    (Closes: #681803)
  * Patch node/munin-node.conf.in to allow incoming IPv6 from localhost,
    mostly to document that IPv6 addresses are allowed as well. Thanks to
    Daniel Black. (Closes: #676798)
    This is debian/patches/238-munin-node-ipv6allow.patch
  * HTMLConfig.pm: cherry-pick 789c59e from 2.0.7 to avoid (using the default
    configuration) /var/log/munin/munin-html.log being flooded with 106 lines
    of noisy warnings (out of 112 lines in total) every 5min. (Closes: #689291)
    This is debian/patches/239-fix-too-many-warnings-in-munin-graph.log.patch
  * munin-doc: Break and replace munin-common << 2. (Closes: #694355)
  * selinux_avcstat plugin: Do not use the "read without variable" bashism,
    thanks to intrigeri for the patch. (Closes: #690711)
    This is 240-Do-not-use-the-read-without-variable-bashism.patch
  * Have master support multi-homed nodes that only listen on IPv4.
    (Closes: #678662) This is upstream commit a18229c5, thanks to Michael
    Renner for the testing and the patch!
    This is debian/patches/241-master-connect-to-AAAA-and-A-address.patch
  * Fix wrong assumption about Net::SSLeay::CTX_set_options return value.
    Thanks to intrigeri for this patch. (Closes: #675377)
    This is 242-Fix-wrong-assumption-about-Net-SSLeay-CTX_set_option.patch
  * http_loadtime plugin: fix stderr redirection (which broke the plugin
    completely) (Closes: #691448)
    This is 243-http_loadtime-fixed-stderr-redirection-with-time.patch
  * apt_all plugin: the apt_all plugin has its state updated in cron. There
    the ENV var MUNIN_PLUGSTATE doesn't exist, so we need to set a default.
    (Closes: #687495). This has been in included in 2.0.7 and is
    debian/patches/244-fix-apt_all-plugin-statedir-for-cron.patch
  * munin-async.init: Run munin-async after munin-node has been started.
    (Closes: #691390) - Thanks to Daniel Black for this and the next two
    fixes:
  * munin-async.postinst: fix /var/lib/munin-async ownership (once on upgrades
    from previous versions) and for new installs. (Closes: #691309)
  * munin-async.logrotate: correct location of munin-async logfiles.
    (Closes: #691758)
  * Use dh --with quilt so that the patches are actually applied.
    (Closes: #691327)
  * Drop 101-suppress-occasional-unknown-states-to-avoid-alerts.patch which
    is included since munin 1.4.4.

 -- Holger Levsen <email address hidden> Sat, 15 Sep 2012 14:02:44 +0200

munin (2.0.6-1) unstable; urgency=high

  * New upstream release 2.0.6, switching back to cron graphing (as it better
    for small setups) and besides that only containing bugfixes, but many of
    them. See the upstream ChangeLog for the full list.
    - munin-node: more secure state file handling, introducing a new plugin
      state directory root, owned by uid 0. Then each plugin runs in its own
      UID plugin state directory, owned by the said UID. (Closes: #684075),
      (Closes: #679897), closes CVE-2012-3512.
      So all properly written plugins will use
      /var/lib/munin-node/plugin-state/$uid/$some_file now - please report
      plugins that are still using /var/lib/munin/plugin-state/ - as those
      might pose a security risk!
    - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076),
      thanks to Helmut Grohne <email address hidden>
    - munin-cron: call munin-graph with --cron argument (Closes: #685343)
    - Master/Node.pm: fix _node_read_fast() to accept all valid returns
      (Closes: #686089) and _do_connect() to not use an uninitialized
      variable. (Closes: #686090)
    - munin-async: make spoolread less restrictive about (valid) plugin names
      (Closes: #686093)
  * Update Location and Scriptalias in shipped apache.conf to fix a regression
    introduced in fixing #682869.
  * munin-node.postinst: don't create /var/lib/munin/plugin-state anymore as
    munin-node now uses /var/lib/munin-nodes/plugin-state and subdirs and
    handles creation by itself.
  * debian/rules: workaround bug in upstream Makefile targets to move
    /var/lib/async from munin-node package to munin-async.
  * debian/control:
    - make munin-async depend on munin-node for now.
    - update Vcs: headers to point to an uptodate repository.
  * Remove build/resources/apache-cgi.conf from munin.docs as it's outdated.
  * update munin.NEWS to reflect that everybody using cgi graphing needs to
    update the configuration files and that cron graphing is the default
    again. (cgi graphing was the default from pre-2.0 until 2.0.5)

 -- Holger Levsen <email address hidden> Mon, 03 Sep 2012 12:42:09 +0000

munin (2.0.5-1) unstable; urgency=low

  [ Holger Levsen ]
  * New upstream versions, fixing lots of bugs (including a regression in
    munin-cgi-graph preventing it from caching at all (Closes: #683064))
    and adding documentation and manpages. See upstream ChangeLog for the
    full list.
  * Remove workaround concerning java-plugins (667493) in debian/rules
    as upstream has fixed this in e7e29c4 in 2.0.3.
  * munin-async.init:
    - run munin-async as munin-async user (Closes: #684171)
    - use stop function from munin-node.init to make it actually stop it
      (Closes: #684170). In the future we should replace both initscripts with
      saner rewrites.

  [ Helmut Grohne ]
  * Move cgi scripts to /usr/lib/munin/cgi. (Closes: #682869)

 -- Holger Levsen <email address hidden> Tue, 14 Aug 2012 19:12:54 +0200

CVE References

Jeremy Bicha (jbicha) wrote :
Changed in munin (Ubuntu):
importance: Undecided → Wishlist
Jeremy Bicha (jbicha) wrote :
Jeremy Bicha (jbicha) wrote :

remaining diff with Debian

Benjamin Drung (bdrung) wrote :

Thanks for your work. I uploaded it with a few modifications (uploaded Debian-Ubuntu diff attached):
1) Setting suite to raring.
2) Closing this bug with your changelog entry.
3) Adding the previous Ubuntu changelog entries back.

Changed in munin (Ubuntu):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (6.7 KiB)

This bug was fixed in the package munin - 2.0.9-1ubuntu1

---------------
munin (2.0.9-1ubuntu1) raring; urgency=low

  * Merge from Debian unstable (LP: #1089218). Remaining changes:
    - d/munin-node.upstart,munin.upstart: Add upstart configurations.
    - debian/patches/fix_ran_out_of_children.patch:
      + Fix occasional "Ran out of children: No child processes" error messages
        (LP: #1009357).

munin (2.0.9-1) experimental; urgency=low

  * New upstream bugfix release(s).
    - Drop all debian/patches/ (except 100-DejaVu-Fonts-Path.patch) as they
      were included in 2.0.7-2.0.9.
  * Remove libcgi-fast-perl from munin's depends.
  * Add libapache2-mod-fcgid to munin's suggests.
  * Support libapache2-mod-fcgid in /etc/munin/apache.conf out of the box
    (Closes: #695228), remove configuration for libapache2-mod-fastcgi as it's
    non-free.
  * debian/rules: set MUNIN_VERSION correctly during build. (Closes: #694527)

munin (2.0.6-2) UNRELEASED; urgency=low

  * munin-node.postinst: delete /var/lib/munin(-node)/plugin-state recursively
    on purge. The plugin-state is outdated after a few minutes anyway.
    (Closes: #687715)
  * Fix "/etc/apache2/conf.d/munin removed on upgrade":
    - debian/munin.postinst: create symlink for new installs and also for
      upgrades from versions where it was still removed (up to 1.4.6-3) but
      not re-created (from 1.4.6-1 onwards). Thanks to Gregor Herrman for the
      patch and intrigeri for reviewing. (Closes: #677943)
  * Add documentation for munin-async, thanks to Daniel Black.
    (Closes: #681803)
  * Patch node/munin-node.conf.in to allow incoming IPv6 from localhost,
    mostly to document that IPv6 addresses are allowed as well. Thanks to
    Daniel Black. (Closes: #676798)
    This is debian/patches/238-munin-node-ipv6allow.patch
  * HTMLConfig.pm: cherry-pick 789c59e from 2.0.7 to avoid (using the default
    configuration) /var/log/munin/munin-html.log being flooded with 106 lines
    of noisy warnings (out of 112 lines in total) every 5min. (Closes: #689291)
    This is debian/patches/239-fix-too-many-warnings-in-munin-graph.log.patch
  * munin-doc: Break and replace munin-common << 2. (Closes: #694355)
  * selinux_avcstat plugin: Do not use the "read without variable" bashism,
    thanks to intrigeri for the patch. (Closes: #690711)
    This is 240-Do-not-use-the-read-without-variable-bashism.patch
  * Have master support multi-homed nodes that only listen on IPv4.
    (Closes: #678662) This is upstream commit a18229c5, thanks to Michael
    Renner for the testing and the patch!
    This is debian/patches/241-master-connect-to-AAAA-and-A-address.patch
  * Fix wrong assumption about Net::SSLeay::CTX_set_options return value.
    Thanks to intrigeri for this patch. (Closes: #675377)
    This is 242-Fix-wrong-assumption-about-Net-SSLeay-CTX_set_option.patch
  * http_loadtime plugin: fix stderr redirection (which broke the plugin
    completely) (Closes: #691448)
    This is 243-http_loadtime-fixed-stderr-redirection-with-time.patch
  * apt_all plugin: the apt_all plugin has its state updated in cron. There
    the ENV var MUNIN_PLUGSTATE doesn't exist, so we need to set a ...

Read more...

Changed in munin (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments