[Pkg-nagios-devel] Bug#865497: Wheezy update of check-mk?

Matt Taggart taggart at debian.org
Thu Jun 22 19:10:23 UTC 2017 

Hi Raphael!

Raphael Hertzog writes:
> Hello Matt,
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of check-mk:
> https://security-tracker.debian.org/tracker/CVE-2017-9781
> 
> Would you like to take care of this yourself?
> 
> The code in wheezy is different from the 1.4.x version which has been
> patched upstream but I believe that a similar issue must exist since
> I have seen no HTML escaping in any code showing errors.

The commit message explicitly references the 1.4 branch, but I also
see that the code exists in 1.2.8p16 (buster/sid).

For buster/sid I will update to new 1.4 based upstream with the patch.

The 1.2.6p12-1 based versions in wheezy-backports-sloppy and
jessie-backports are different still, but we should push to make those
go away by getting buster fixed and backporting that to w-b-s, j-b-s,
and w-b.

I agree that the code is pretty different in 1.1.12p7-1 (wheezy). I
would appreciate help generating a patch for that that version.

> That said it really depends on whether user input ends
> up in the error message associated to the various exceptions
> and it's hard to tell from a quick look at the code without trying.
> 
> The traceback itself seems to be output in <pre>%s</pre> but that doesn't
> prevent XSS.
> 
> In any case, if you mant to handle this yourself, please follow the
> workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts at lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of check-mk updates
> for the LTS releases.

The check-mk source package is sort of weird, it uses tarballs within
the orig.tar.gz, so using a normal debian package diff, or even
patching at configure time doesn't work, it has to happen after the
install step runs setup.sh. I am happy for the LTS team to prepare the
wheezy update and I can help with testing. I will work on uploading a
fixed 1.4 version to sid in the next day.

Sound OK?

-- 
Matt Taggart
taggart at debian.org

More information about the Pkg-nagios-devel mailing list