[Xymon] Xymon 4.3.29 Released - Important Security Update

Richard L. Hamilton rlhamil2 at gmail.com
Wed Jul 24 15:31:31 CEST 2019


Probably also in all the following:
-bash-4.1$ find . -type f -exec grep pragma {} +
./xymonnet/xymonnet.c:          #pragma GCC diagnostic push
./xymonnet/xymonnet.c:          #pragma GCC diagnostic ignored "-Wformat-truncation"
./xymonnet/xymonnet.c:          #pragma GCC diagnostic pop
./lib/holidays.c:                               #pragma GCC diagnostic push
./lib/holidays.c:                               #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/holidays.c:                               #pragma GCC diagnostic pop
./lib/acklog.c:                 #pragma GCC diagnostic push
./lib/acklog.c:                 #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/acklog.c:                 #pragma GCC diagnostic pop
./lib/tree.c:#pragma GCC diagnostic push
./lib/tree.c:#pragma GCC diagnostic ignored "-Wunused-result"
./lib/tree.c:#pragma GCC diagnostic pop
./lib/htmllog.c:        #pragma GCC diagnostic push
./lib/htmllog.c:        #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/htmllog.c:        #pragma GCC diagnostic pop
./lib/stackio.c:                #pragma GCC diagnostic push
./lib/stackio.c:                #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/stackio.c:                #pragma GCC diagnostic pop
./lib/timefunc.c:       #pragma GCC diagnostic push
./lib/timefunc.c:       #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/timefunc.c:       #pragma GCC diagnostic pop
./lib/misc.c:   #pragma GCC diagnostic push
./lib/misc.c:   #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/misc.c:   #pragma GCC diagnostic pop
./lib/eventlog.c:       #pragma GCC diagnostic push
./lib/eventlog.c:       #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/eventlog.c:       #pragma GCC diagnostic pop


> On Jul 24, 2019, at 08:46, Richard L. Hamilton <rlhamil2 at gmail.com> wrote:
> 
> gcc prior to 4.6 gives the errors:
> 
> acklog.c: In function ‘do_acklog’:
> acklog.c:129:12: error: #pragma GCC diagnostic not allowed inside functions
> acklog.c:130:12: error: #pragma GCC diagnostic not allowed inside functions
> acklog.c:132:12: error: #pragma GCC diagnostic not allowed inside functions
> 
> Discussion of other software with a similar problem suggests a gcc version test for those.  Or just comment out those lines, for those who don't
> want to install a newer gcc and don't want to wait for a version test to be added.
> 
>> On Jul 23, 2019, at 12:11, Japheth Cleaver <cleaver at terabithia.org> wrote:
>> 
>> On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
>>> Hello all,
>>> 
>>> Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
>>> 
>>> The specific CVEs in question are:
>>>  CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
>>>  CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
>> 
>> For clarification, the above CVEs only affect the *server* side of the Xymon monitoring system. Xymon clients are not affected.
>> 
>> -jc
>> 
>> 
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
> 



More information about the Xymon mailing list