[Pkg-monitoring-maintainers] Bug#760372: Bug#760372: Bug#760372: Bug#760372: loganalyzer: CVE-2014-6070
Daniel Pocock
daniel at pocock.pro
Sun Sep 7 06:49:10 UTC 2014
On 06/09/14 21:06, Salvatore Bonaccorso wrote:
> Hi Daniel,
>
> On Wed, Sep 03, 2014 at 02:05:53PM +0200, Daniel Pocock wrote:
>> Salvatore, I'd prefer to update the package closer to the freeze and
>> roll up any other changes in a single release.
>
> Personal opinion: having a fix sooner in testing would be preferable.
> Thiw way the whole package would recieve more testing already before
> the freeze.
>
>> People should not be making LogAnalyzer available to the world,
>> especially without additional access controls (HTTP authentication) so
>> that provides some protection against flaws that do exist in this product.
>>
>> How would the security team feel if this package was classified in a
>> similar way to the ganglia-web package, e.g. security alerts are not RC
>> bugs and users advised to protect the URL with the webserver?
>
> It is hard to prevent a syslog analysis tool from processing data from
> untrusted sources. Releasing the package mentioning such a restriction
> to security support does somehow not make sense, considering the
> intended use of the package.
>
> In the concrete instance of
> http://seclists.org/fulldisclosure/2014/Sep/17, a malicious syslog
> client, by setting an appropriate hostname could perform a XSS
> injection, even if the loganalyzer instance would be secured with
> additional access controls. Is this correct and do you agree?
>
Agreed - the majority of large networks don't have strict access control
on syslog and some rogue user could exploit this.
3.6.6+dfsg-1 has just been uploaded.
More information about the Pkg-monitoring-maintainers
mailing list