=== modified file 'debian/Makefile.config' --- debian/Makefile.config 2012-12-12 01:58:22 +0000 +++ debian/Makefile.config 2012-12-12 01:58:42 +0000 @@ -8,9 +8,8 @@ DBDIRNODE = $(DESTDIR)/var/lib/munin-node LOGDIR = $(DESTDIR)/var/log/munin MANDIR = $(PREFIX)/share/man - -CGIDIR = $(DESTDIR)/usr/lib/cgi-bin - +SPOOLDIR = $(DESTDIR)/var/lib/munin-async +CGIDIR = $(DESTDIR)/usr/lib/munin/cgi LIBDIR = $(PREFIX)/share/munin JAVALIBDIR = $(DESTDIR)/usr/share/munin === modified file 'debian/changelog' --- debian/changelog 2012-12-12 01:58:22 +0000 +++ debian/changelog 2012-12-12 02:01:33 +0000 @@ -1,41 +1,136 @@ -munin (2.0.2-1ubuntu3) raring; urgency=low - - * SECURITY UPDATE: privilege escalation via root running plugins - - debian/patches/CVE-2012-3512.patch: run each plugin in their own - state directory in Makefile, Makefile.config, - node/lib/Munin/Node/{OS,Service}.pm, plugins/lib/Munin/Plugin.pm, - plugins/node.d/*.in,plugins/node.d.linux/*.in. - - CVE-2012-3512 - * SECURITY UPDATE: remote code exection via bad arguments - - debian/patches/CVE-2012-3513.patch: use MUNIN_CONFIG env variable - instead of @ARGV to specify alternate config file in - master/_bin/munin-cgi-graph.in, master/_bin/munin-cgi-html.in. - - debian/patches/CVE-2012-3512-regression.patch: Don't rely on - MUNIN_PLUGSTATE being in the environment as these scripts also get - run by a cron job in plugins/node.d.linux/apt_all.in, - plugins/node.d.linux/apt.in. - - CVE-2012-3513 - * debian/rules: actually apply quilt patches. - * debian/Makefile.config: added new plugin state directory location. - * debian/munin-node.{postinst,postrm}: Switch to new plugin state - directory. - - -- Marc Deslauriers Mon, 05 Nov 2012 09:28:03 -0500 - -munin (2.0.2-1ubuntu2) quantal; urgency=low - - * debian/patches/fix_ran_out_of_children.patch: - - Fix occasional "Ran out of children: No child processes" error messages - (LP: #1009357). - - -- Petri Lehtinen Wed, 03 Oct 2012 15:33:15 -0400 - -munin (2.0.2-1ubuntu1) quantal; urgency=low +munin (2.0.9-1ubuntu1) UNRELEASED; urgency=low * Merge from Debian unstable. Remaining changes: - d/munin-node.upstart,munin.upstart: Add upstart configurations. - - -- Logan Rosen Sun, 22 Jul 2012 14:19:53 -0400 + - debian/patches/fix_ran_out_of_children.patch: + + Fix occasional "Ran out of children: No child processes" error messages + (LP: #1009357). + + -- Jeremy Bicha Tue, 11 Dec 2012 21:00:30 -0500 + +munin (2.0.9-1) experimental; urgency=low + + * New upstream bugfix release(s). + - Drop all debian/patches/ (except 100-DejaVu-Fonts-Path.patch) as they + were included in 2.0.7-2.0.9. + * Remove libcgi-fast-perl from munin's depends. + * Add libapache2-mod-fcgid to munin's suggests. + * Support libapache2-mod-fcgid in /etc/munin/apache.conf out of the box + (Closes: #695228), remove configuration for libapache2-mod-fastcgi as it's + non-free. + * debian/rules: set MUNIN_VERSION correctly during build. (Closes: #694527) + + -- Holger Levsen Tue, 11 Dec 2012 22:33:55 +0100 + +munin (2.0.6-2) UNRELEASED; urgency=low + + * munin-node.postinst: delete /var/lib/munin(-node)/plugin-state recursively + on purge. The plugin-state is outdated after a few minutes anyway. + (Closes: #687715) + * Fix "/etc/apache2/conf.d/munin removed on upgrade": + - debian/munin.postinst: create symlink for new installs and also for + upgrades from versions where it was still removed (up to 1.4.6-3) but + not re-created (from 1.4.6-1 onwards). Thanks to Gregor Herrman for the + patch and intrigeri for reviewing. (Closes: #677943) + * Add documentation for munin-async, thanks to Daniel Black. + (Closes: #681803) + * Patch node/munin-node.conf.in to allow incoming IPv6 from localhost, + mostly to document that IPv6 addresses are allowed as well. Thanks to + Daniel Black. (Closes: #676798) + This is debian/patches/238-munin-node-ipv6allow.patch + * HTMLConfig.pm: cherry-pick 789c59e from 2.0.7 to avoid (using the default + configuration) /var/log/munin/munin-html.log being flooded with 106 lines + of noisy warnings (out of 112 lines in total) every 5min. (Closes: #689291) + This is debian/patches/239-fix-too-many-warnings-in-munin-graph.log.patch + * munin-doc: Break and replace munin-common << 2. (Closes: #694355) + * selinux_avcstat plugin: Do not use the "read without variable" bashism, + thanks to intrigeri for the patch. (Closes: #690711) + This is 240-Do-not-use-the-read-without-variable-bashism.patch + * Have master support multi-homed nodes that only listen on IPv4. + (Closes: #678662) This is upstream commit a18229c5, thanks to Michael + Renner for the testing and the patch! + This is debian/patches/241-master-connect-to-AAAA-and-A-address.patch + * Fix wrong assumption about Net::SSLeay::CTX_set_options return value. + Thanks to intrigeri for this patch. (Closes: #675377) + This is 242-Fix-wrong-assumption-about-Net-SSLeay-CTX_set_option.patch + * http_loadtime plugin: fix stderr redirection (which broke the plugin + completely) (Closes: #691448) + This is 243-http_loadtime-fixed-stderr-redirection-with-time.patch + * apt_all plugin: the apt_all plugin has its state updated in cron. There + the ENV var MUNIN_PLUGSTATE doesn't exist, so we need to set a default. + (Closes: #687495). This has been in included in 2.0.7 and is + debian/patches/244-fix-apt_all-plugin-statedir-for-cron.patch + * munin-async.init: Run munin-async after munin-node has been started. + (Closes: #691390) - Thanks to Daniel Black for this and the next two + fixes: + * munin-async.postinst: fix /var/lib/munin-async ownership (once on upgrades + from previous versions) and for new installs. (Closes: #691309) + * munin-async.logrotate: correct location of munin-async logfiles. + (Closes: #691758) + * Use dh --with quilt so that the patches are actually applied. + (Closes: #691327) + * Drop 101-suppress-occasional-unknown-states-to-avoid-alerts.patch which + is included since munin 1.4.4. + + -- Holger Levsen Sat, 15 Sep 2012 14:02:44 +0200 + +munin (2.0.6-1) unstable; urgency=high + + * New upstream release 2.0.6, switching back to cron graphing (as it better + for small setups) and besides that only containing bugfixes, but many of + them. See the upstream ChangeLog for the full list. + - munin-node: more secure state file handling, introducing a new plugin + state directory root, owned by uid 0. Then each plugin runs in its own + UID plugin state directory, owned by the said UID. (Closes: #684075), + (Closes: #679897), closes CVE-2012-3512. + So all properly written plugins will use + /var/lib/munin-node/plugin-state/$uid/$some_file now - please report + plugins that are still using /var/lib/munin/plugin-state/ - as those + might pose a security risk! + - munin-cgi-graph: ignore @ARGV to fix CVE-2012-3513 (Closes: #684076), + thanks to Helmut Grohne + - munin-cron: call munin-graph with --cron argument (Closes: #685343) + - Master/Node.pm: fix _node_read_fast() to accept all valid returns + (Closes: #686089) and _do_connect() to not use an uninitialized + variable. (Closes: #686090) + - munin-async: make spoolread less restrictive about (valid) plugin names + (Closes: #686093) + * Update Location and Scriptalias in shipped apache.conf to fix a regression + introduced in fixing #682869. + * munin-node.postinst: don't create /var/lib/munin/plugin-state anymore as + munin-node now uses /var/lib/munin-nodes/plugin-state and subdirs and + handles creation by itself. + * debian/rules: workaround bug in upstream Makefile targets to move + /var/lib/async from munin-node package to munin-async. + * debian/control: + - make munin-async depend on munin-node for now. + - update Vcs: headers to point to an uptodate repository. + * Remove build/resources/apache-cgi.conf from munin.docs as it's outdated. + * update munin.NEWS to reflect that everybody using cgi graphing needs to + update the configuration files and that cron graphing is the default + again. (cgi graphing was the default from pre-2.0 until 2.0.5) + + -- Holger Levsen Mon, 03 Sep 2012 12:42:09 +0000 + +munin (2.0.5-1) unstable; urgency=low + + [ Holger Levsen ] + * New upstream versions, fixing lots of bugs (including a regression in + munin-cgi-graph preventing it from caching at all (Closes: #683064)) + and adding documentation and manpages. See upstream ChangeLog for the + full list. + * Remove workaround concerning java-plugins (667493) in debian/rules + as upstream has fixed this in e7e29c4 in 2.0.3. + * munin-async.init: + - run munin-async as munin-async user (Closes: #684171) + - use stop function from munin-node.init to make it actually stop it + (Closes: #684170). In the future we should replace both initscripts with + saner rewrites. + + [ Helmut Grohne ] + * Move cgi scripts to /usr/lib/munin/cgi. (Closes: #682869) + + -- Holger Levsen Tue, 14 Aug 2012 19:12:54 +0200 munin (2.0.2-1) unstable; urgency=low @@ -50,13 +145,6 @@ -- Holger Levsen Sat, 21 Jul 2012 12:43:33 -0600 -munin (2.0.1-1ubuntu1) quantal; urgency=low - - * Merge from Debian unstable. Remaining changes: - - d/munin-node.upstart,munin.upstart: Add upstart configurations. - - -- James Page Mon, 02 Jul 2012 14:15:42 +0100 - munin (2.0.1-1) unstable; urgency=low * New upstream version. @@ -68,13 +156,6 @@ -- Holger Levsen Thu, 21 Jun 2012 00:29:37 +0200 -munin (2.0.0-1ubuntu1) quantal; urgency=low - - * Resync with Debian unstable. - * d/munin-node.upstart,munin.upstart: Add upstart configurations. - - -- James Page Mon, 11 Jun 2012 12:54:28 +0100 - munin (2.0.0-1) unstable; urgency=medium * New upstream version. Roughly eight years after munin 1.0 there is now @@ -1008,7 +1089,7 @@ 1.2.3 has been merged into the upstream tree. -- Tore Anderson Tue, 13 Dec 2005 18:21:59 +0100 - + munin (1.2.3-3) unstable; urgency=medium * debian/munin.preinst (removed), debian/munin.postinst, debian/munin.postrm, @@ -1060,7 +1141,7 @@ - Made the munin package depend on librrds-perl in versions 1.2 or above. -- Tore Anderson Wed, 31 Aug 2005 09:11:47 +0200 - + munin (1.2.3-1) unstable; urgency=medium * New upstream release, targeted at Sarge. @@ -1541,10 +1622,9 @@ * Standards-Version 3.6.0, no changes required. -- Tore Anderson Mon, 14 Jul 2003 20:39:18 +0200 - + lrrd (0.9.6-1) unstable; urgency=low * Initial release, closes: #169079. -- Tore Anderson Sat, 31 May 2003 17:15:35 +0200 - === modified file 'debian/control' --- debian/control 2012-12-12 01:58:22 +0000 +++ debian/control 2012-12-12 02:13:14 +0000 @@ -11,8 +11,8 @@ Build-Depends: debhelper (>=8), quilt Standards-Version: 3.9.3 Homepage: http://munin-monitoring.org -Vcs-svn: svn://munin-monitoring.org/munin/branches/debian/wheezy -Vcs-Browser: http://munin-monitoring.org/browser/ +Vcs-Git: git://anonscm.debian.org/collab-maint/munin.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git Package: munin-node Architecture: all @@ -97,9 +97,9 @@ Package: munin Architecture: all -Depends: ${perl:Depends}, ${misc:Depends}, perl-modules | libparse-recdescent-perl, librrds-perl (>= 1.2), libhtml-template-perl, libdigest-md5-perl, libtime-hires-perl, libstorable-perl, rrdtool, adduser, liblog-log4perl-perl (>= 1.18), ttf-dejavu, munin-common (>= ${binary:Version}), cron, libdate-manip-perl, libcgi-fast-perl, libfile-copy-recursive-perl, liburi-perl, libio-socket-inet6-perl +Depends: ${perl:Depends}, ${misc:Depends}, perl-modules | libparse-recdescent-perl, librrds-perl (>= 1.2), libhtml-template-perl, libdigest-md5-perl, libtime-hires-perl, libstorable-perl, rrdtool, adduser, liblog-log4perl-perl (>= 1.18), ttf-dejavu, munin-common (>= ${binary:Version}), cron, libdate-manip-perl, libfile-copy-recursive-perl, liburi-perl, libio-socket-inet6-perl Recommends: munin-node, munin-doc -Suggests: www-browser, httpd, libnet-ssleay-perl +Suggests: www-browser, httpd, libnet-ssleay-perl, libapache2-mod-fcgid Description: network-wide graphing framework (grapher/gatherer) Munin is a highly flexible and powerful solution used to create graphs of virtually everything imaginable throughout your network, while still @@ -136,8 +136,7 @@ Package: munin-async Architecture: all -Depends: ${perl:Depends}, ${misc:Depends}, perl-modules, adduser, munin-common (>= ${binary:Version}) -Recommends: munin-node +Depends: ${perl:Depends}, ${misc:Depends}, perl-modules, adduser, munin-common (>= ${binary:Version}), munin-node Description: network-wide graphing framework (async master/client) Munin is a highly flexible and powerful solution used to create graphs of virtually everything imaginable throughout your network, while still @@ -154,6 +153,8 @@ Section: doc Architecture: all Depends: ${perl:Depends}, ${misc:Depends} +Breaks: munin-common (<< 2) +Replaces: munin-common (<< 2) Description: network-wide graphing framework (documentation) Munin is a highly flexible and powerful solution used to create graphs of virtually everything imaginable throughout your network, while still === added file 'debian/munin-async.README.Debian' --- debian/munin-async.README.Debian 1970-01-01 00:00:00 +0000 +++ debian/munin-async.README.Debian 2012-12-12 01:58:42 +0000 @@ -0,0 +1,130 @@ +***** Installing munin-async ***** + +When using munin, one often runs into one of two problems: + * There are so many nodes to update, the update takes more than the + update interval + * Some servers may be connected over flaky lines, so an update may be lost + due to timeout + +With version 2.0, the designers of munin have started addressing those +problems. Today we look at one part of that solution, munin-async. Note that I +am using the packages from Debian testing. Your experience on other OSs +may vary. Here are the steps I needed to take in order for the client to +collect munin-async data from the various servers: + +**** Install munin-async on the monitored machines AND the graphing server **** + +The munin-async Debian package contains both the client AND the server scripts +for async work. This is not consistent, since previously all the data fetching +scripts were in the munin package, and all the data serving scripts were in the +munin-node package. It also means that you have to install munin-async +(creating the munin-async user, with its own entry in passwd file and its +shell set to /bin/bash) on the server, not just on the clients. I don’t like +leaving that open. + +(on remote machine and on server) +apt-get install munin-async + +**** Start munin-asyncd on servers where data is to be collected **** + +(on remote machine) service munin-async start + +**** Prepare the master for using ssh to connect to servers **** + +Change the shell of the munin user to bash so you can do these changes as the +munin user: +vipw +su - munin +cd /var/lib/munin +mkdir .ssh +cd .ssh +ssh-keygen -q -N "" -f /var/lib/munin/.ssh/id_rsa +cat /var/lib/munin/.ssh/id_rsa.pub + +Place the ssh public key in /var/lib/munin/.ssh) (on the remote machine) + +mkdir /var/lib/munin-async/.ssh + +(on the server) +scp /var/lib/munin/.ssh/id_rsa.pub root@example.net:/var/lib/munin-async/.ssh/authorized_keys +chown -R munin:munin /var/lib/munin/.ssh + +ssh munin-async@example.net +exit + +Note that you need to check the connection for EVERY host from which you intend +to collect data in the async manner. munin is NOT handling this dialogue: +The authenticity of host 'example.net (2600:more:fool:you:f9b)' can't be +established. +RSA key fingerprint is 61:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa. +Are you sure you want to continue connecting (yes/no)? yes +Warning: Permanently added 'example.net,2600:moore:fool:you:f9b' (RSA) to the +list of known hosts. + +So you need to log in “by hand” first, from the user munin, in order to record +the key. Or you need to copy the key from antoher known_hosts file, which may +be tricky. Now change the shell of munin back to /bin/false, for security. + +chsh -s /bin/false munin + +**** Change the system definition in /etc/munin/munin.conf **** + +(or, as I prefer to do it, in /etc/munin/munin-conf.d/hostlist.conf ). +[async.my-machine.net] + address ssh://munin-async@example.net /usr/share/munin/munin-async --spooldir +/var/lib/munin/spool --spoolfetch + use_node_name yes + +I am using async in the definition name merely so that I can compare the data +from the two collection methods. + +**** Security enhancement **** +To prevent your monitored server being compromised if someone manages to break +into your munin collection server, you should edit the /var/lib/munin- +async/.ssh/authorized_keys file and add + +no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty,no-user-rc,command="/usr/sbin/munin-async  --spooldir /var/lib/munin/spool --spoolfetch" + +to the beginning of the relevant line. Additionally consider from="(remote machine IPs)". + +**** Adding plugins **** + +When you add a plugin, it won’t be visible unless you first restart munin-node +and THEN munin-async. + +**** Troubleshooting tips **** + +If you haven’t logged in to the host “by hand” or added its keys to +known_hosts some other way, the fetch will fail. The only log in the munin- +update file will say something like: + +Socket read from async.example.net failed. A Terminating process. at /usr/ +share/perl5/Munin/Master/UpdateWorker.pm line ... +Another possible cause of mysterious failure to fetch data from the remote host +(that does not give a clear error message) is munin-asyncd not running on the +target server, or having no prefetched data yet. + +**** Additional ideas **** + +Balint Deak suggested in a post on the munin-users mailing list: What I would +add to this is that if you have many hosts, or hosts are added on a daily +basis, it may be annoying to always remember to log in to each new box and say +“yes” at the prompt. + +If you create a config file for ssh in the $HOME/.ssh/config for the user that +runs the master (defaults to ‘munin’) and tell ssh not to check the host key +when authenticating, then no prompt will be displayed even for new or unknown +hosts. + +Add something like: +Host * +  UserKnownHostsFile=/dev/null +  StrictHostKeyChecking=no + +I don’t think this makes the setup less secure, but it would make the +automation of adding new hosts to the system easier. + +Regards, +Balint + +From http://www.matija.si/system-administration/2012/07/15/installing-munin-async/ with edits from Daniel Black === modified file 'debian/munin-async.init' --- debian/munin-async.init 2012-12-12 01:58:22 +0000 +++ debian/munin-async.init 2012-12-12 01:58:42 +0000 @@ -1,8 +1,8 @@ #! /bin/sh ### BEGIN INIT INFO # Provides: munin-async -# Required-Start: $network $named $local_fs $remote_fs -# Required-Stop: $network $named $local_fs $remote_fs +# Required-Start: $network $named $local_fs $remote_fs munin-node +# Required-Stop: $network $named $local_fs $remote_fs munin-node # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Munin asynchronous server @@ -19,6 +19,7 @@ NAME=munin-asyncd DAEMON=/usr/share/munin/$NAME DAEMON_ARGS="" +DAEMON_USER="munin-async" PIDFILE=/var/run/munin/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME @@ -44,14 +45,11 @@ # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + start-stop-daemon --start --background --make-pidfile --pidfile $PIDFILE --chuid $DAEMON_USER --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \ + start-stop-daemon --start --background --make-pidfile --pidfile $PIDFILE --chuid $DAEMON_USER --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. } # @@ -59,25 +57,36 @@ # do_stop() { - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" + # killproc() doesn't try hard enough if the pid file is missing, + # so create it is gone and the daemon is still running + if [ ! -r $PIDFILE ]; then + pid=$(pidofproc -p $PIDFILE $DAEMON) + if [ -z "$pid" ]; then + [ "$VERBOSE" != no ] && log_progress_msg "stopped beforehand" + log_end_msg 0 + return 0 + fi + echo $pid 2>/dev/null > $PIDFILE + if [ $? -ne 0 ]; then + log_end_msg 1 + return 1 + fi + fi + killproc -p $PIDFILE /usr/bin/munin-node + ret=$? + # killproc() isn't thorough enough, ensure the daemon has been + # stopped manually + attempts=0 + until ! pidofproc -p $PIDFILE $DAEMON >/dev/null; do + attempts=$(( $attempts + 1 )) + sleep 0.05 + [ $attempts -lt 20 ] && continue + log_end_msg 1 + return 1 + done + [ $ret -eq 0 ] && [ "$VERBOSE" != no ] && log_progress_msg "done" + log_end_msg $ret + return $ret } # @@ -89,7 +98,7 @@ # restarting (for example, when it is sent a SIGHUP), # then implement that here. # - start-stop-daemon --stop --signal 1 --background --make-pidfile --quiet --pidfile $PIDFILE --name $NAME + start-stop-daemon --stop --signal 1 --background --make-pidfile --quiet --pidfile $PIDFILE --exec $DAEMON return 0 } === modified file 'debian/munin-async.logrotate' --- debian/munin-async.logrotate 2012-12-12 01:58:22 +0000 +++ debian/munin-async.logrotate 2012-12-12 01:58:42 +0000 @@ -1,9 +1,9 @@ -/var/lib/munin/spool/*.0 { +/var/lib/munin-async/*.0 { daily missingok rotate 7 compress copytruncate notifempty - create 640 munin adm + create 640 munin-async munin-async } === modified file 'debian/munin-async.postinst' --- debian/munin-async.postinst 2012-12-12 01:58:22 +0000 +++ debian/munin-async.postinst 2012-12-12 01:58:42 +0000 @@ -15,9 +15,17 @@ fi } +initperms() { + chown munin-async:munin-async /var/lib/munin-async +} + case "$1" in configure) add_munin_async_user + # this can go away after wheezy + if dpkg --compare-versions "$2" le "2.0.6-1~" || [ "$2" = 0 ] ; then + initperms + fi ;; abort-upgrade|abort-deconfigure|abort-remove) : === modified file 'debian/munin-node.postrm' --- debian/munin-node.postrm 2012-12-12 01:58:22 +0000 +++ debian/munin-node.postrm 2012-12-12 01:58:42 +0000 @@ -18,13 +18,16 @@ fi done - rm -f /var/lib/munin/plugin-state/*.state - rm -f /var/lib/munin-node/plugin-state/*.state + # since 2.0.6 /var/lib/munin-node/plugin-state is used and /var/lib/munin/plugin-state not, + # so this should be cleaned up post wheezy. + # + # just like #198522 (see above..) is fixed since 2006 ;) + + rm -rf /var/lib/munin/plugin-state + rm -rf /var/lib/munin-node/plugin-state rm -f /var/log/munin/munin-node.log* rm -f /var/log/munin/munin-node-configure.log* - delete_dir_if_empty /var/lib/munin/plugin-state - delete_dir_if_empty /var/lib/munin-node/plugin-state delete_dir_if_empty /var/lib/munin delete_dir_if_empty /var/log/munin delete_dir_if_empty /etc/munin/plugin-conf.d === modified file 'debian/munin.NEWS' --- debian/munin.NEWS 2012-12-12 01:58:22 +0000 +++ debian/munin.NEWS 2012-12-12 01:58:42 +0000 @@ -1,13 +1,12 @@ -munin (2.0~rc6-1) unstable; urgency=low - - Welcome to munin 2.0~rc6! Please read the changelog and the documentation - to learn about new features. - - If you're upgrading and have modified /etc/munin/munin.conf in the past - you will now need to set "cgitmpdir /var/lib/munin/cgi-tmp" manually. - - "graph_strategy cgi" is the default now. (In theory, you could get the - old cron based graphing to work as well, but we strongly recommend not to.) +munin (2.0.6-1) unstable; urgency=medium + + Welcome to munin 2.0.6! Please read the changelog and the documentation + to learn about new features. + + If you're upgrading and using (fast)cgi graphing ("graph_strategy cgi" + in munin.conf) you will need to modify both your /etc/munin/munin.conf + as well as the webserver configuration due to changed cgi pathes to + enable secure setups. See http://munin-monitoring.org/wiki/CgiHowto2 for more information. The munin-node package now only provides the actual node, plugins are @@ -15,7 +14,7 @@ in 2.0 The documentation for munin has been moved to the new "munin-doc" package. - -- Holger Levsen Sun, 13 May 2012 17:57:24 +0200 + -- Holger Levsen Mon, 03 Sep 2012 12:04:02 +0200 munin (1.4.0-1) unstable; urgency=low === modified file 'debian/munin.apache.conf' --- debian/munin.apache.conf 2012-12-12 01:58:22 +0000 +++ debian/munin.apache.conf 2012-12-12 01:58:42 +0000 @@ -2,12 +2,17 @@ Alias /munin /var/cache/munin/www # Enable this for cgi-based templates -Alias /munin-cgi/static /var/cache/munin/www/static -ScriptAlias /munin-cgi /usr/lib/cgi-bin/munin-cgi-html - - #Alias /munin-cgi/static /var/cache/munin/www/static -#ScriptAlias /munin-cgi /usr/lib/cgi-bin/munin-cgi-html +#ScriptAlias /munin-cgi /usr/lib/munin/cgi/munin-cgi-html +# +# Order allow,deny +# Allow from localhost 127.0.0.0/8 ::1 +# AuthUserFile /etc/munin/munin-htpasswd +# AuthName "Munin" +# AuthType Basic +# require valid-user +# + Order allow,deny Allow from localhost 127.0.0.0/8 ::1 @@ -53,15 +58,35 @@ # # Enables fastcgi for munin-cgi-graph if present - - - SetHandler fastcgi-script - +ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph + + Order allow,deny + Allow from localhost 127.0.0.0/8 ::1 + # AuthUserFile /etc/munin/munin-htpasswd + # AuthName "Munin" + # AuthType Basic + # require valid-user + + SetHandler fcgid-script + + + SetHandler cgi-script + - - - SetHandler fastcgi-script - +ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html + + Order allow,deny + Allow from localhost 127.0.0.0/8 ::1 + # AuthUserFile /etc/munin/munin-htpasswd + # AuthName "Munin" + # AuthType Basic + # require valid-user + + SetHandler fcgid-script + + + SetHandler cgi-script + === modified file 'debian/munin.docs' --- debian/munin.docs 2012-12-12 01:58:22 +0000 +++ debian/munin.docs 2012-12-12 01:58:42 +0000 @@ -1,3 +1,2 @@ -build/resources/apache-cgi.conf Announce-2.0 UPGRADING === modified file 'debian/munin.postinst' --- debian/munin.postinst 2012-12-12 01:58:22 +0000 +++ debian/munin.postinst 2012-12-12 01:58:42 +0000 @@ -63,8 +63,9 @@ webserver=apache2 webserver_init_script="/etc/init.d/$webserver" if [ -d /etc/$webserver/conf.d ] && [ ! -e /etc/$webserver/conf.d/munin ]; then - if [ -z "$prevver" ] ; then + if [ -z "$prevver" ] || ( dpkg --compare-versions $prevver ge 1.4.6-1~ && dpkg --compare-versions $prevver lt 1.4.7~ ) ; then # only create link on new installs + # or when upgrading from a version where it was removed unconditionally ln -s ../../munin/apache.conf /etc/$webserver/conf.d/munin fi if [ -f $webserver_init_script ];then === removed file 'debian/patches/101-suppress-occasional-unknown-states-to-avoid-alerts.patch' --- debian/patches/101-suppress-occasional-unknown-states-to-avoid-alerts.patch 2012-12-12 01:58:22 +0000 +++ debian/patches/101-suppress-occasional-unknown-states-to-avoid-alerts.patch 1970-01-01 00:00:00 +0000 @@ -1,141 +0,0 @@ -Description: Suppress "occasional" unknown states to avoid alerts. - This patch adds a feature which counts the number of unknowns, - and only changes state (and sends an alert) once that count is reached. - . - Changed the default global count to 3 unknowns before the state is changed. - . - We will be able to remove this patch once upstream accepts it, which they - plan to do in a future release. -Origin: http://munin.projects.linpro.no/ticket/828 -Forwarded: no -Author: Steve Wilson -Last-Update: 2010-01-13 -Index: munin-1.4.3/common/lib/Munin/Common/Config.pm -=================================================================== ---- munin-1.4.3.orig/common/lib/Munin/Common/Config.pm (revision 3304) -+++ munin-1.4.3/common/lib/Munin/Common/Config.pm (working copy) -@@ -36,7 +36,7 @@ - "graph_printf", "ok", "unknown", "palette", "realservname", - "cdef_name", "graphable", "process", "realname", - "onlynullcdef", "group_order", "pipe", "pipe_command", -- "unknown_limit", "notify_countdown", "dropdownlimit", -+ "unknown_limit", "num_unknowns", "dropdownlimit", - "max_graph_jobs", "munin_cgi_graph_jobs" ); - - my %bools = map { $_ => 1} qw(yes no true false on off 1 0); -Index: munin-1.4.3/master/lib/Munin/Master/LimitsOld.pm -=================================================================== ---- munin-1.4.3.orig/master/lib/Munin/Master/LimitsOld.pm (revision 3304) -+++ munin-1.4.3/master/lib/Munin/Master/LimitsOld.pm (working copy) -@@ -330,23 +330,74 @@ - if ($value eq "unknown") { - $crit->[0] ||= ""; - $crit->[1] ||= ""; -- $hash->{'worst'} = "UNKNOWN" if $hash->{"worst"} eq "OK"; -- $hash->{'worstid'} = 3 if $hash->{"worstid"} == 0; -- munin_set_var_loc(\%notes, [@$fpath, "state"], "unknown"); -- munin_set_var_loc( -- \%notes, -- [@$fpath, "unknown"], ( -- defined $field->{"extinfo"} -+ -+ my $state = "unknown"; -+ my $extinfo = defined $field->{"extinfo"} - ? "unknown: " . $field->{"extinfo"} -- : "Value is unknown." -- )); -+ : "Value is unknown."; -+ my $num_unknowns; - - if ( !defined $onfield - or !defined $onfield->{"state"} - or $onfield->{"state"} ne "unknown") { - $hash->{'state_changed'} = 1; - } -+ else { -+ $hash->{'state_changed'} = 0; -+ } -+ -+ # First we'll need to check whether the user wants to ignore -+ # a few UNKNOWN values before actually changing the state to -+ # UNKNOWN. -+ if ($unknown_limit > 1) { -+ if (defined $onfield and defined $onfield->{"state"}) { -+ if ($onfield->{"state"} ne "unknown") { -+ if (defined $onfield->{"num_unknowns"}) { -+ if ($onfield->{"num_unknowns"} < $unknown_limit) { -+ # Don't change the state to UNKNOWN yet. -+ $hash->{'state_changed'} = 0; -+ $state = $onfield->{"state"}; -+ $extinfo = $onfield->{$state}; -+ -+ # Increment the number of UNKNOWN values seen. -+ $num_unknowns = $onfield->{"num_unknowns"} + 1; -+ } -+ } -+ else { -+ # Don't change the state to UNKNOWN yet. -+ $hash->{'state_changed'} = 0; -+ $state = $onfield->{"state"}; -+ $extinfo = $onfield->{$state}; -+ -+ # Start counting the number of consecutive UNKNOWN -+ # values seen. -+ $num_unknowns = 1; -+ } -+ } -+ } -+ } -+ -+ if ($state eq "unknown") { -+ $hash->{'worst'} = "UNKNOWN" if $hash->{"worst"} eq "OK"; -+ $hash->{'worstid'} = 3 if $hash->{"worstid"} == 0; -+ } -+ elsif ($state eq "critical") { -+ $hash->{'worst'} = "CRITICAL"; -+ $hash->{'worstid'} = 2; -+ } -+ elsif ($state eq "warning") { -+ $hash->{'worst'} = "WARNING" if $hash->{"worst"} ne "CRITICAL"; -+ $hash->{'worstid'} = 1 if $hash->{"worstid"} != 2; -+ } -+ -+ munin_set_var_loc(\%notes, [@$fpath, "state"], $state); -+ munin_set_var_loc(\%notes, [@$fpath, $state], $extinfo); -+ if (defined $num_unknowns) { -+ munin_set_var_loc(\%notes, [@$fpath, "num_unknowns"], -+ $num_unknowns); -+ } - } -+ - elsif ((defined($crit->[0]) and $value < $crit->[0]) - or (defined($crit->[1]) and $value > $crit->[1])) { - $crit->[0] ||= ""; -@@ -422,7 +473,7 @@ - my @warning = (undef, undef); - my $crit = munin_get($hash, "critical", undef); - my $warn = munin_get($hash, "warning", undef); -- my $unknown_limit = munin_get($hash, "unknown_limit", 1); -+ my $unknown_limit = munin_get($hash, "unknown_limit", 3); - - my $name = munin_get_node_name($hash); - -@@ -454,10 +505,15 @@ - DEBUG "[DEBUG] processing warning: $name -> $warning[0] : $warning[1]"; - } - -- # The merge of the unknown_limit implementation was somewhat botched. Not tested. - janl - if ($unknown_limit =~ /^\s*(\d+)\s*$/) { -- $unknown_limit = $1 if defined $1; -- DEBUG "[DEBUG] processing unknown_limit: $name -> $unknown_limit"; -+ $unknown_limit = $1 if defined $1; -+ if (defined $unknown_limit) { -+ if ($unknown_limit < 1) { -+ # Zero and negative numbers are not valid. -+ $unknown_limit = 1; -+ } -+ } -+ DEBUG "[DEBUG] processing unknown_limit: $name -> $unknown_limit"; - } - - return (\@warning, \@critical, $unknown_limit); === removed file 'debian/patches/237-hddtemp_smartctl-sata-detect.patch' --- debian/patches/237-hddtemp_smartctl-sata-detect.patch 2012-12-12 01:58:22 +0000 +++ debian/patches/237-hddtemp_smartctl-sata-detect.patch 1970-01-01 00:00:00 +0000 @@ -1,46 +0,0 @@ -Description: Add auto detection of SATA disks to hddtemp_smartctl - Upstream wants to test this bug on older systems before including it in trunk - as they want munin 1.4 compatible with older systems like RHEL4. - . - As we know that lenny, and onwards has smartmontools 5.38 or higher, - that is needed for this patch to work, we can include it in the debian package - even if its not included upstream. -Origin: other -Bug-Debian: http://bugs.debian.org/497400 -Forwarded: no -Author: Thorsten Gunkel -Last-Update: 2009-11-26 -Index: munin-1.4.0/plugins/node.d/hddtemp_smartctl.in -=================================================================== ---- munin-1.4.0.orig/plugins/node.d/hddtemp_smartctl.in 2009-08-31 23:04:36.000000000 +0200 -+++ munin-1.4.0/plugins/node.d/hddtemp_smartctl.in 2009-08-31 23:08:02.000000000 +0200 -@@ -92,14 +92,25 @@ - - # Try to get a default set of drives - if ($^O eq 'linux') { -- # On Linux, we know how to enumerate ide drives. SCSI is not as easy -+ # On Linux, we know how to enumerate ide drives. -+ my @drivesIDE; - if (-d '/proc/ide') { - opendir(IDE, '/proc/ide'); -- @drives = grep /hd[a-z]/, readdir IDE; -+ @drivesIDE = grep /hd[a-z]/, readdir IDE; - closedir(IDE); - } -- # "SCSI disks" could be both SCSI or SATA - we can't know which -- # without probing them. -+ -+ # Look for SCSI / SATA drives in /sys -+ my @drivesSCSI; -+ if (-d '/sys/block/') { -+ opendir(SCSI, '/sys/block/'); -+ @drivesSCSI = grep /sd[a-z]/, readdir SCSI; -+ closedir(SCSI); -+ } -+ -+ # Get list of all drives we found -+ @drives=(@drivesIDE,@drivesSCSI); -+ - } elsif ($^O eq 'freebsd') { - opendir(DEV, '/dev'); - @drives = grep /^ad[0-9]+$/, readdir DEV; === removed file 'debian/patches/CVE-2012-3512-regression.patch' --- debian/patches/CVE-2012-3512-regression.patch 2012-12-12 01:58:22 +0000 +++ debian/patches/CVE-2012-3512-regression.patch 1970-01-01 00:00:00 +0000 @@ -1,41 +0,0 @@ -Description: Don't rely on MUNIN_PLUGSTATE being in the environment as - these scripts also get run by a cron job -Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687495 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687495 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687912 - -Index: munin-1.4.6/plugins/node.d.linux/apt_all.in -=================================================================== ---- munin-1.4.6.orig/plugins/node.d.linux/apt_all.in 2012-10-15 13:28:16.872940387 -0400 -+++ munin-1.4.6/plugins/node.d.linux/apt_all.in 2012-10-15 13:49:00.796972237 -0400 -@@ -48,11 +48,12 @@ - # Now for the real work... - - use strict; -+use Munin::Common::Defaults; - - $ENV{'LANG'}="C"; - $ENV{'LC_ALL'}="C"; - --my $statefile = "$ENV{MUNIN_PLUGSTATE}/plugin-apt.state"; -+my $statefile = "$Munin::Common::Defaults::MUNIN_PLUGSTATE/plugin-apt.state"; - my @releases = ("stable", "testing","unstable"); - - -Index: munin-1.4.6/plugins/node.d.linux/apt.in -=================================================================== ---- munin-1.4.6.orig/plugins/node.d.linux/apt.in 2012-10-15 13:28:16.872940387 -0400 -+++ munin-1.4.6/plugins/node.d.linux/apt.in 2012-10-15 13:49:05.192972350 -0400 -@@ -72,10 +72,11 @@ - # Now for the real work... - - use strict; -+use Munin::Common::Defaults; - - $ENV{'LANG'}="C"; - $ENV{'LC_ALL'}="C"; --my $statefile = "$ENV{MUNIN_PLUGSTATE}/plugin-apt.state"; -+my $statefile = "$Munin::Common::Defaults::MUNIN_PLUGSTATE/plugin-apt.state"; - - sub update_state() { - if(-l $statefile) { === removed file 'debian/patches/CVE-2012-3512.patch' --- debian/patches/CVE-2012-3512.patch 2012-12-12 01:58:22 +0000 +++ debian/patches/CVE-2012-3512.patch 1970-01-01 00:00:00 +0000 @@ -1,423 +0,0 @@ -Description: fix privilege escalation via root running plugins -Origin: upstream, http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=780634c4a48fc57b6631d644fca3649f1417d211 -Origin: upstream, http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=9f2643c4cb13a34deadfea8fb7e8a29fa54fdc8e -Origin: upstream, http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=6183662a2b96c2c3b1b4cfc4b80ce28063d025c2 -Origin: upstream, http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=2b8d82e0c52ccdd79ca480788f7ef4d3325b4cb0 -Bug: http://www.munin-monitoring.org/ticket/1234 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684075 - -Index: munin-2.0.2/Makefile -=================================================================== ---- munin-2.0.2.orig/Makefile 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/Makefile 2012-10-12 08:44:01.029866859 -0400 -@@ -138,9 +138,8 @@ - mkdir -p $(LIBDIR)/plugins - mkdir -p $(PLUGSTATE) - -- $(CHOWN) $(PLUGINUSER):$(GROUP) $(PLUGSTATE) -- # using g+rwxs, so plugins can create and modify their state file without help -- $(CHMOD) 02775 $(PLUGSTATE) -+ $(CHOWN) root:root $(PLUGSTATE) -+ $(CHMOD) 0755 $(PLUGSTATE) - $(CHMOD) 0755 $(CONFDIR)/plugin-conf.d - - for p in build/plugins/node.d/* build/plugins/node.d.$(OSTYPE)/* ; do \ -Index: munin-2.0.2/Makefile.config -=================================================================== ---- munin-2.0.2.orig/Makefile.config 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/Makefile.config 2012-10-12 08:44:01.029866859 -0400 -@@ -41,16 +41,19 @@ - HTMLDIR = $(PREFIX)/www/docs - CGIDIR = $(PREFIX)/www/cgi - --# Where to put RRD files and other internal data, both master and node -+# Where to put internal data for master (RRD, internal files, ...) - DBDIR = $(DESTDIR)/var/opt/munin - -+# Where to put internal data for node (plugin state, ...) -+DBDIRNODE = $(DESTDIR)/var/opt/munin-node -+ - # Client only - Where the spool files are written. Must be writable by - # group "munin", and should be preserved between reboots - SPOOLDIR = $(DBDIR)/spool - - # Client only - Where plugins should put their states. Must be writable by - # group "munin", and should be preserved between reboots --PLUGSTATE = $(DBDIR)/plugin-state -+PLUGSTATE = $(DBDIRNODE)/plugin-state - - # Where Munin should place its logs. - LOGDIR = $(PREFIX)/log/munin -Index: munin-2.0.2/node/lib/Munin/Node/OS.pm -=================================================================== ---- munin-2.0.2.orig/node/lib/Munin/Node/OS.pm 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/node/lib/Munin/Node/OS.pm 2012-10-12 08:44:09.585867077 -0400 -@@ -13,6 +13,7 @@ - - use POSIX (); - use Sys::Hostname; -+use File::Path qw(make_path); - - sub get_uid { - my ($class, $user) = @_; -@@ -249,6 +250,16 @@ - - sub set_umask { umask(0002) or croak "Unable to set umask: $!\n"; } - -+sub mkdir_subdir { -+ my ($class, $path, $uid) = @_; -+ -+ my $user = getpwuid($uid); -+ -+ unless (-d "$path/$user") { -+ mkdir("$path/$user"); -+ chown($uid, 0, "$path/$user"); -+ } -+} - - - 1; -Index: munin-2.0.2/node/lib/Munin/Node/Service.pm -=================================================================== ---- munin-2.0.2.orig/node/lib/Munin/Node/Service.pm 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/node/lib/Munin/Node/Service.pm 2012-10-12 08:44:09.585867077 -0400 -@@ -119,8 +119,13 @@ - my ($self, $service) = @_; - print STDERR "# Setting up environment\n" if $config->{DEBUG}; - -+ # We append the USER to the MUNIN_PLUGSTATE, to avoid CVE-2012-3512 -+ my $uid = $self->_resolve_uid($service); -+ my $user = getpwuid($uid); -+ $ENV{MUNIN_PLUGSTATE} = "$Munin::Common::Defaults::MUNIN_PLUGSTATE/$user"; -+ - # Provide a consistent default state-file. -- $ENV{MUNIN_STATEFILE} = "$Munin::Common::Defaults::MUNIN_PLUGSTATE/$service-$ENV{MUNIN_MASTER_IP}"; -+ $ENV{MUNIN_STATEFILE} = "$ENV{MUNIN_PLUGSTATE}/$service-$ENV{MUNIN_MASTER_IP}"; - - my $env = $config->{sconf}{$service}{env} or return; - -@@ -236,6 +241,10 @@ - { - my ($self, $service, $arg) = @_; - -+ # XXX - Create the statedir for the user -+ my $uid = $self->_resolve_uid($service); -+ Munin::Node::OS->mkdir_subdir("$Munin::Common::Defaults::MUNIN_PLUGSTATE", $uid); -+ - $self->change_real_and_effective_user_and_group($service); - - unless (Munin::Node::OS->check_perms_if_paranoid("$self->{servicedir}/$service")) { -Index: munin-2.0.2/plugins/lib/Munin/Plugin.pm -=================================================================== ---- munin-2.0.2.orig/plugins/lib/Munin/Plugin.pm 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/lib/Munin/Plugin.pm 2012-10-12 08:44:04.169866943 -0400 -@@ -42,7 +42,7 @@ - (introduced in 1.3.3) you can put this in your plugin configuration: - - [*] -- env.MUNIN_PLUGSTATE /lib/munin/plugin-state -+ env.MUNIN_PLUGSTATE /var/lib/munin-node/plugin-state - env.MUNIN_LIBDIR /usr/share/munin - - IF, indeed that is the munin plugin state directory. The default -@@ -88,7 +88,8 @@ - =head3 $Munin::Plugin::pluginstatedir - - Identical to the environment variable MUNIN_PLUGSTATE (available since --Munin 1.3.3) or the install time @Z<>@PLUGSTATE@Z<>@ 'constant'. -+Munin 1.3.3) -+ - You can use this if you need to save several different state files. - But there is also a function to change the state file name so the - state file support functions can be used for several state files. -@@ -602,7 +603,7 @@ - There is some test stuff in this module. - - Test like this: -- MUNIN_PLUGSTATE=/var/lib/munin/plugin-state -e 'require "Plugin.pm.in"; Munin::Plugin::_test;' -- or something. -+ MUNIN_PLUGSTATE=/var/lib/munin-node/plugin-state -e 'require "Plugin.pm.in"; Munin::Plugin::_test;' -- or something. - - sub _test () { - my $pos; -Index: munin-2.0.2/plugins/node.d/bind9.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/bind9.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/bind9.in 2012-10-12 08:44:04.173866941 -0400 -@@ -51,10 +51,9 @@ - =cut - - use strict; --use Munin::Common::Defaults; - - my $QUERYLOG = $ENV{logfile} || '/var/log/bind9/query.log'; --my $STATEFILE= $Munin::Common::Defaults::MUNIN_PLUGSTATE.'/bind9.state'; -+my $STATEFILE= "$ENV{MUNIN_PLUGSTATE}/bind9.state"; - - my $OTHER=0; - my %IN; -Index: munin-2.0.2/plugins/node.d/courier_.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/courier_.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/courier_.in 2012-10-12 08:44:04.173866941 -0400 -@@ -54,7 +54,7 @@ - # Set the location of the courier logs - COURIER_LOG=${logfile:-/var/log/mail.log} - SERVICE=${service:-`basename $0 | sed 's/^courier_//g'`} --OFFSET_FILE=@@PLUGSTATE@@/courier_${SERVICE}.offset -+OFFSET_FILE=${MUNIN_PLUGSTATE}/courier_${SERVICE}.offset - LOGTAIL=${logtail:-/usr/sbin/logtail} - - mktempfile () { -Index: munin-2.0.2/plugins/node.d/courier_mta_mailstats.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/courier_mta_mailstats.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/courier_mta_mailstats.in 2012-10-12 08:44:04.173866941 -0400 -@@ -29,7 +29,7 @@ - - =cut - --my $statefile = "@@PLUGSTATE@@/munin-plugin-courier_mta_mailstats.state"; -+my $statefile = "$ENV{MUNIN_PLUGSTATE}/munin-plugin-courier_mta_mailstats.state"; - my $pos = undef; - my $delivered = 0; - my $rejects = {}; -Index: munin-2.0.2/plugins/node.d/courier_mta_mailvolume.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/courier_mta_mailvolume.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/courier_mta_mailvolume.in 2012-10-12 08:44:04.173866941 -0400 -@@ -28,7 +28,7 @@ - - =cut - --my $statefile = "@@PLUGSTATE@@/munin-plugin-courier_mta_mailvolume.state"; -+my $statefile = "$ENV{MUNIN_PLUGSTATE}/munin-plugin-courier_mta_mailvolume.state"; - my $pos = undef; - my $volume = 0; - my $LOGDIR = $ENV{'logdir'} || '/var/log'; -Index: munin-2.0.2/plugins/node.d/cupsys_pages.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/cupsys_pages.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/cupsys_pages.in 2012-10-12 08:44:04.173866941 -0400 -@@ -32,7 +32,7 @@ - use strict; - use Munin::Plugin; - --my $statefile = "@@PLUGSTATE@@/munin-cupsys-pages.state"; -+my $statefile = "$ENV{MUNIN_PLUGSTATE}/munin-cupsys-pages.state"; - my $pos = undef; - my %printers = (); - -Index: munin-2.0.2/plugins/node.d/ipmi_sensor_.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/ipmi_sensor_.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/ipmi_sensor_.in 2012-10-12 08:44:04.173866941 -0400 -@@ -70,7 +70,7 @@ - import sys - import re - --CACHEDIR = "@@PLUGSTATE@@" -+CACHEDIR = os.environ['MUNIN_PLUGSTATE'] - CACHEFILE = "plugin-ipmi_sensor.cache" - CACHEAGE = 120 - CONFIG = '@@CONFDIR@@/ipmi' -Index: munin-2.0.2/plugins/node.d.linux/apt_all.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d.linux/apt_all.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d.linux/apt_all.in 2012-10-12 08:44:04.169866943 -0400 -@@ -52,7 +52,7 @@ - $ENV{'LANG'}="C"; - $ENV{'LC_ALL'}="C"; - --my $statefile = "@@PLUGSTATE@@/plugin-apt.state"; -+my $statefile = "$ENV{MUNIN_PLUGSTATE}/plugin-apt.state"; - my @releases = ("stable", "testing","unstable"); - - -Index: munin-2.0.2/plugins/node.d.linux/apt.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d.linux/apt.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d.linux/apt.in 2012-10-12 08:44:04.169866943 -0400 -@@ -75,7 +75,7 @@ - - $ENV{'LANG'}="C"; - $ENV{'LC_ALL'}="C"; --my $statefile = "@@PLUGSTATE@@/plugin-apt.state"; -+my $statefile = "$ENV{MUNIN_PLUGSTATE}/plugin-apt.state"; - - sub update_state() { - if(-l $statefile) { -Index: munin-2.0.2/plugins/node.d.linux/iostat_ios.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d.linux/iostat_ios.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d.linux/iostat_ios.in 2012-10-12 08:44:04.169866943 -0400 -@@ -62,7 +62,7 @@ - use Storable qw(store retrieve); - use Munin::Plugin; - --use constant STATEFILE => '@@PLUGSTATE@@/iostat-ios.state'; -+use constant STATEFILE => "$ENV{MUNIN_PLUGSTATE}/iostat-ios.state"; - - - if (defined($ARGV[0]) and $ARGV[0] eq 'autoconf') { -Index: munin-2.0.2/plugins/node.d.linux/port_.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d.linux/port_.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d.linux/port_.in 2012-10-12 08:44:04.169866943 -0400 -@@ -49,7 +49,7 @@ - { - my ($fd, $file) = @_; - -- my $cache_dir = "@@PLUGSTATE@@"; -+ my $cache_dir = "$ENV{MUNIN_PLUGSTATE}"; - my $cache = $file; - $cache =~ s:/:_:g; - $cache = "$cache_dir/$cache"; -Index: munin-2.0.2/plugins/node.d.linux/yum.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d.linux/yum.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d.linux/yum.in 2012-10-12 08:44:04.169866943 -0400 -@@ -27,9 +27,8 @@ - =cut - - use strict; --use Munin::Common::Defaults; - --my $statefile = "$Munin::Common::Defaults::MUNIN_PLUGSTATE/yum.state"; -+my $statefile = "$ENV{MUNIN_PLUGSTATE}/yum.state"; - - sub update { - if (-l $statefile) { -Index: munin-2.0.2/plugins/node.d/loggrep.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/loggrep.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/loggrep.in 2012-10-12 08:44:04.173866941 -0400 -@@ -79,7 +79,7 @@ - - die("No regexes specified") unless keys %regex; - --my $statefile = "@@PLUGSTATE@@/$name.state"; -+my $statefile = "$ENV{MUNIN_PLUGSTATE}/$name.state"; - - if ($ARGV[0] and $ARGV[0] eq 'config') { - my $title = $ENV{title} || "Entries in $logfile"; -Index: munin-2.0.2/plugins/node.d/mailman.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/mailman.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/mailman.in 2012-10-12 08:44:04.173866941 -0400 -@@ -24,9 +24,7 @@ - - =cut - --use Munin::Common::Defaults; -- --$statefile = "$Munin::Common::Defaults::MUNIN_PLUGSTATE/munin-mailman-log.state"; -+$statefile = "$ENV{MUNIN_PLUGSTATE}/munin-mailman-log.state"; - $pos = undef; - $posts = 0; - $members = 0; -Index: munin-2.0.2/plugins/node.d/mailscanner.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/mailscanner.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/mailscanner.in 2012-10-12 08:44:04.173866941 -0400 -@@ -43,7 +43,7 @@ - - my $logfile = '/var/log/mail.log'; - my $logtail = '/usr/sbin/logtail'; --my $offsetfile = "@@PLUGSTATE@@/munin-mailscanner.offset"; -+my $offsetfile = "$ENV{MUNIN_PLUGSTATE}/munin-mailscanner.offset"; - my ($clean, $viruses, $spams, $others, $total) = (0, 0, 0, 0, 0); - my $cmd = (defined($ARGV[0])) ? $ARGV[0] : ''; - -Index: munin-2.0.2/plugins/node.d/mhttping.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/mhttping.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/mhttping.in 2012-10-12 08:44:04.173866941 -0400 -@@ -36,7 +36,7 @@ - - ############################## STUFF YOU MIGHT NEED TO CHANGE - --my $datafile = "@@PLUGSTATE@@/mhttping.data" ; -+my $datafile = "$ENV{MUNIN_PLUGSTATE}/mhttping.data" ; - my $resultsdir = "/home/gconnor/mhttping/results/" ; - my $httping = "/usr/local/bin/httping" ; - my $timeout = 30 ; -Index: munin-2.0.2/plugins/node.d/mysql_isam_space_.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/mysql_isam_space_.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/mysql_isam_space_.in 2012-10-12 08:44:04.173866941 -0400 -@@ -21,7 +21,7 @@ - - [mysql_isam_space_*] - env.mysqlopts -- env.statefile @@PLUGSTATE@@/plugin-mysql_isam_space.state -+ env.statefile $ENV{MUNIN_PLUGSTATE}/plugin-mysql_isam_space.state - env.ignore - env.absolute 0 - -@@ -50,7 +50,7 @@ - - my $DB = `basename $0 | sed 's/^mysql_isam_space_//g' | tr '_' '-'` ; - chomp $DB; --my $STATEFILE = $ENV{'statefile'} || "@@PLUGSTATE@@/plugin-mysql_isam_space.state"; -+my $STATEFILE = $ENV{'statefile'} || "$ENV{MUNIN_PLUGSTATE}/plugin-mysql_isam_space.state"; - my $MYSQLSHOW = $ENV{'mysqlshow'} || `which mysqlshow`; - my $ABSOLUTE = $ENV{'absolute'} || 0; - my @mysql_opts = (); -Index: munin-2.0.2/plugins/node.d/perdition.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/perdition.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/perdition.in 2012-10-12 08:44:04.173866941 -0400 -@@ -55,7 +55,7 @@ - - # Set the location of the perdition logs - PERDITION_LOG=${logfile:-/var/log/perdition.log} --OFFSET_FILE=@@PLUGSTATE@@/perdition.offset -+OFFSET_FILE=${MUNIN_PLUGSTATE}/perdition.offset - LOGTAIL=${logtail:-/usr/sbin/logtail} - - case $1 in -Index: munin-2.0.2/plugins/node.d/pop_stats.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/pop_stats.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/pop_stats.in 2012-10-12 08:44:04.173866941 -0400 -@@ -4,7 +4,7 @@ - - #%# family=contrib - --$pop{'statefile'} = "@@PLUGSTATE@@/munin-pop-log.state"; -+$pop{'statefile'} = "$ENV{MUNIN_PLUGSTATE}/munin-pop-log.state"; - $pos = undef; - $logons = 0; - -Index: munin-2.0.2/plugins/node.d/smart_.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/smart_.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/smart_.in 2012-10-12 08:44:04.177866941 -0400 -@@ -91,13 +91,12 @@ - verbose=False - # Suppress SMART warnings (True/False) - report_warnings=True --# Modify to your needs: --statefiledir='@@PLUGSTATE@@' - # You may not modify anything below this line - - import os, sys, string, pickle - from math import log - plugin_version="2.1" -+statefiledir=os.environ['MUNIN_PLUGSTATE'] - - def verboselog(s): - global plugin_name -Index: munin-2.0.2/plugins/node.d/spamstats.in -=================================================================== ---- munin-2.0.2.orig/plugins/node.d/spamstats.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/plugins/node.d/spamstats.in 2012-10-12 08:44:04.177866941 -0400 -@@ -24,7 +24,7 @@ - =cut - - --$statefile = $ENV{statefile} || "@@PLUGSTATE@@/munin-spamstats.state"; -+$statefile = $ENV{statefile} || "$ENV{MUNIN_PLUGSTATE}/munin-spamstats.state"; - $pos = undef; - $ham = 0; - $spam = 0; === removed file 'debian/patches/CVE-2012-3513.patch' --- debian/patches/CVE-2012-3513.patch 2012-12-12 01:58:22 +0000 +++ debian/patches/CVE-2012-3513.patch 1970-01-01 00:00:00 +0000 @@ -1,40 +0,0 @@ -Description: fix remote code exection via bad arguments -Origin: upstream, http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=db9ba4c44621bfed6e6c83e3f0a22cb18f0671a2 -Origin: upstream, http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=980f5c5f8da8036fb71f44caf99bd3be909e9796 -Bug: http://www.munin-monitoring.org/ticket/1238 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684076 - -Index: munin-2.0.2/master/_bin/munin-cgi-graph.in -=================================================================== ---- munin-2.0.2.orig/master/_bin/munin-cgi-graph.in 2012-10-12 08:45:09.573868613 -0400 -+++ munin-2.0.2/master/_bin/munin-cgi-graph.in 2012-10-12 08:52:59.849880660 -0400 -@@ -53,8 +53,10 @@ - my $logfile; - my $scale = "day"; - --my @params = @ARGV; -+my @params ; - -+push @params, "--config", $ENV{'MUNIN_CONFIG'} -+ if (defined $ENV{'MUNIN_CONFIG'}); - push @params, "--no-fork"; # FastCgi forks for us - push @params, "--skip-locking", "--skip-stats", "--nolazy"; - push @params, "--log-file", $logfile; -Index: munin-2.0.2/master/_bin/munin-cgi-html.in -=================================================================== ---- munin-2.0.2.orig/master/_bin/munin-cgi-html.in 2012-06-29 16:50:19.000000000 -0400 -+++ munin-2.0.2/master/_bin/munin-cgi-html.in 2012-10-12 08:52:59.849880660 -0400 -@@ -45,8 +45,12 @@ - my $lastchanged = 0; - my $datafile = "$Munin::Common::Defaults::MUNIN_DBDIR/datafile.storable"; - -+my @params; -+push @params, "--config", $ENV{'MUNIN_CONFIG'} -+ if (defined $ENV{'MUNIN_CONFIG'}); -+ - # grab config --html_startup([]); -+html_startup(\@params); - while(new CGI::Fast){ - print header("text/html"); - my $change = (stat($datafile))[9]; === modified file 'debian/patches/series' --- debian/patches/series 2012-12-12 01:58:22 +0000 +++ debian/patches/series 2012-12-12 02:00:19 +0000 @@ -1,6 +1,2 @@ 100-DejaVu-Fonts-Path.patch -237-hddtemp_smartctl-sata-detect.patch fix_ran_out_of_children.patch -CVE-2012-3512.patch -CVE-2012-3513.patch -CVE-2012-3512-regression.patch === modified file 'debian/rules' --- debian/rules 2012-12-12 01:58:22 +0000 +++ debian/rules 2012-12-12 01:58:42 +0000 @@ -8,6 +8,8 @@ dh $@ --with quilt override_dh_auto_build: + # ./getversion reads RELEASE if it exists + dpkg-parsechangelog | sed -n 's/^Version: //p' > RELEASE chmod 755 debian/ostype_helper dh_auto_build -- $(MAKEOPTS) @@ -29,6 +31,10 @@ MANDIR=$(CURDIR)/debian/munin-doc/usr/share/man \ DESTDIR=$(CURDIR)/debian/munin-node + # workaround bug in upstream Makefile + mkdir -p $(CURDIR)/debian/munin-async/var/lib + mv $(CURDIR)/debian/munin-node/var/lib/munin-async $(CURDIR)/debian/munin-async/var/lib/munin-async + $(MAKE) install-plugins-prime $(MAKEOPTS) \ MANDIR=$(CURDIR)/debian/munin-doc/usr/share/man \ DESTDIR=$(CURDIR)/debian/munin-plugins-core @@ -37,12 +43,6 @@ MANDIR=$(CURDIR)/debian/munin-doc/usr/share/man \ DESTDIR=$(CURDIR)/debian/munin-plugins-java - # Move the jmx_ plugin to the munin-plugins-java package - # see http://bugs.debian.org/667493 - mkdir -p $(CURDIR)/debian/munin-plugins-java/usr/share/munin/plugins/ - mv -v $(CURDIR)/debian/munin-plugins-core/usr/share/munin/plugins/jmx_ \ - $(CURDIR)/debian/munin-plugins-java/usr/share/munin/plugins/jmx_ - # Install apache configuration install -D -m0644 debian/munin.apache.conf \ $(CURDIR)/debian/munin/etc/munin/apache.conf @@ -85,6 +85,7 @@ override_dh_auto_clean: dh_auto_clean -- $(MAKEOPTS) clean-node clean-master clean-plugins clean-common clean find plugins/javalib -name '*.class' -print0 | xargs -0 -r rm -v + rm RELEASE -f # Disable build tests for now override_dh_auto_test: