[Xymon] Xymon 4.3.12 released
Bill Arlofski
waa-hobbitml at revpol.com
Tue Jul 30 14:01:10 CEST 2013
On 07/27/13 03:53, Axel Beckert wrote:
> Hi Henrik,
>
> On Fri, Jul 26, 2013 at 10:34:21AM +0200, Axel Beckert wrote:
>> On Thu, Jul 25, 2013 at 06:09:40PM +0200, Henrik Størner wrote:
>>>> Does a CVE id exist for that vulnerability?
>>>
>>> No. I suppose I could figure out how to request one - unless someone
>>> else already knows how ?
>>
>> I requested one via the Debian Security Team.
>
> CVE-2013-4173[1] has been assigned to this issue. Thanks to Salvatore
> Bonaccorso for his help.
>
> [1] http://article.gmane.org/gmane.comp.security.oss.general/10728
>
> In case you want to request one yourself next time, see
> https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
> for instructions.
>
> Kind regards, Axel Beckert
>
Hi Axel, Henrik
I noticed in the CVE link provided the following:
--[snip]--
> If access to administrative commands is limited by use of the
> "--admin-senders" option for the "xymond" daemon, then the attack
> is restricted to the commands sent from the IP-adresses listed in
> the --admin-senders access list. However, the default
> configuration permits these commands to be sent from any IP.
--[snip]--
However, I checked several Xymon and Hobbit installations that we manage and
each of them has the --admin-senders=127.0.0.1,$BBSERVERIP (for hobbit) and
--admin-senders=127.0.0.1,$XYMONSERVERIP (for xymon) set.
I know for a fact that these settings were not manually added to the xymond
daemon CMDs on our servers, so this appears to be the default, which means
that by default Xymon (and Hobbit) systems are "not vulnerable."
Am I missing something?
Thanks!
--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/
-- Not responsible for anything below this line --
More information about the Xymon
mailing list