[Xymon] Xymon 4.3.12 released

Henrik Størner henrik at hswn.dk
Thu Jul 25 18:09:40 CEST 2013


On 25-07-2013 17:36, Axel Beckert wrote:

> On Wed, Jul 24, 2013 at 11:13:00AM +0200, henrik at hswn.dk wrote:
>> NOTE: This release includes a bugfix for a security issue
>> in the xymond_history and xymond_rrd modules. A "drophost"
>> command sent to the xymond port (default: 1984) from an IP
>> listed in the --admin-senders access control list can be
>> used to delete files owned by the user running the xymond
>> daemon. This is allowed by default, so it is highly recommended
>
> Does a CVE id exist for that vulnerability?

No. I suppose I could figure out how to request one - unless someone 
else already knows how ?

> Is it known which Xymon versions are affected by that vulnerability?

All versions from 4.0 -> 4.3.11


Regards,
Henrik




More information about the Xymon mailing list