[Xymon] Xymon 4.3.29 Released - Important Security Update

Japheth Cleaver cleaver at terabithia.org
Tue Jul 23 17:57:49 CEST 2019

Hello all,

Xymon 4.3.29 has been released to Sourceforge and should be propagating 
to mirrors as I write this. Along with an assortment of bug fixes and 
compilation compatibility fixes for recent glibc systems, this version 
contains several fixes for security vulnerabilities within some CGI 
parsing. Although some of these overflows are not exploitable, others, 
including an XSS vulnerability are. Fixes beyond these CVEs have been 
made throughout the library, web, and network code to help reduce the 
likelihood of similar issues in other areas. As a result, all users are 
encouraged to upgrade.

The specific CVEs in question are:
   CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
   CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486

Henrik and I would like to extend our thanks to the University of 
Cambridge Computer Security
Incident Response Team, which reported the issues and helped validate 
their resolution.

Full release notes and other changes are available with the released 
tarball at https://sourceforge.net/projects/xymon/files/Xymon/4.3.29/

As always, thank you to everyone who has contributed patches, ideas, 
code, and feature requests to the project!

Japheth "J.C." Cleaver

More information about the Xymon mailing list