[Xymon] Xymon 4.3.29 Released - Important Security Update

Japheth Cleaver cleaver at terabithia.org
Mon Jul 29 19:41:04 CEST 2019

The Terabithia Xymon 4.3.29-1 packages have been updated in the 
production repositories and should be available for download at 

As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those 
repos have been moved to the /retired/ directory.

As EPEL8 has not yet been released, an fping package is available in the 
EL8 repository, as well as man2html (needed for rebuilds).


On 7/23/2019 9:08 AM, Japheth Cleaver wrote:
> The RPMs available at Terabithia have been updated to 4.3.29-1 in the 
> /testing/ repositories at the moment.
> If no specific issues are found (please report!), I'll promote these 
> into the production repo in a day or two. (An announcement will be 
> made here.)
> Please note that I've built these only for EL5/6/7/8 and F28+ at the 
> moment. If there are requests for older RPM distributions, I can spin 
> RPMs for them as well, but I'd like to begin pruning them a bit if 
> they're not necessary.
> Regards,
> -jc
> On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
>> Hello all,
>> Xymon 4.3.29 has been released to Sourceforge and should be 
>> propagating to mirrors as I write this. Along with an assortment of 
>> bug fixes and compilation compatibility fixes for recent glibc 
>> systems, this version contains several fixes for security 
>> vulnerabilities within some CGI parsing. Although some of these 
>> overflows are not exploitable, others, including an XSS vulnerability 
>> are. Fixes beyond these CVEs have been made throughout the library, 
>> web, and network code to help reduce the likelihood of similar issues 
>> in other areas. As a result, all users are encouraged to upgrade.
>> The specific CVEs in question are:
>>   CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
>>   CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
>> Henrik and I would like to extend our thanks to the University of 
>> Cambridge Computer Security
>> Incident Response Team, which reported the issues and helped validate 
>> their resolution.
>> Full release notes and other changes are available with the released 
>> tarball at https://sourceforge.net/projects/xymon/files/Xymon/4.3.29/
>> As always, thank you to everyone who has contributed patches, ideas, 
>> code, and feature requests to the project!
>> Sincerely,
>> Japheth "J.C." Cleaver

More information about the Xymon mailing list