Up to [cvs.NetBSD.org] / pkgsrc / net / xymonclient / patches
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.2 / (download) - annotate - [select for diffs], Sun Nov 24 20:16:55 2019 UTC (8 months, 2 weeks ago) by spz
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2, pkgsrc-2020Q1-base, pkgsrc-2020Q1, pkgsrc-2019Q4-base, pkgsrc-2019Q4, HEAD
Changes since 1.1: +16 -10 lines
Diff to previous 1.1 (colored)
Update xymon and xymonclient to version 4.3.29. Add patches to xymon from the xymon code repository to fix compatibility issues in 4.3.29. Upstream changelog: Changes for 4.3.29 ================== Several buffer overflow security issues have been resolved, as well as a potential XSS attack on certain CGI interfaces. Although the ability to exploit is limited, all users are urged to upgrade. The assigned CVE numbers are: CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486 In addition, revisions have been made to a number of places throughout the code to convert the most common sprintf statements to snprintf for safer processing, which should reduce the impact of similar parsing. Additional work on this will continue in the future. The affected CGIs are: history.c (overflow of histlogfn) = CVE-2019-13451 reportlog.c (overflow of histlogfn) = CVE-2019-13452 csvinfo.c (overflow of dbfn) = CVE-2019-13273 csvinfo.c (reflected XSS) = CVE-2019-13274 acknowledge.c (overflow of msgline) = CVE-2019-13455 appfeed.c (overflow of errtxt) = CVE-2019-13484 history.c (overflow of selfurl) = CVE-2019-13485 svcstatus.c (overflow of errtxt) = CVE-2019-13486 We would like to thank the University of Cambridge Computer Security Incident Response Team for their assistance in reporting and helping resolve these issues. Additional Changes: On Linux, a few additional tmpfs volumes are ignored by default on new (or unmodified) installs. This includes /run/user/<uid>, which is a transient, per-session tmpfs on some systems. To re- enable monitoring for this (if you are running services under a user with a login session), you may need to edit the analysis.cfg(5) file. After upgrade, these partitions will no longer be alerted on or tracked, and their associated RRD files may also be removed: /run/user/<uid> (but NOT /run) /dev (but NOT /dev/shm) /sys/fs/cgroup /lib/init/rw The default hard limit for an incoming message has been raised from 10MB to 64MB The secure apache config snippet no longer requires a xymongroups file to be present (and module loaded), since it's not used by default. This will not affect existing installs. A --no-cpu-listing option has been added to xymond_client to suppress the 'top' output in cpu test status messages. The conversation used in SMTP checks has been adjusted to perform a proper "EHLO" greeting against servers, using the host string 'xymonnet'. If the string needs to be adjusted, however, see protocols.cfg(5) "Actual" memory usage (as a percentage) may be >100% on some platforms in certain situations. This alone will not be tagged as "invalid" data and should be graphed in RRD.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Sep 28 10:40:35 2017 UTC (2 years, 10 months ago) by spz
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3, pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2, pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4
update xymon + xymonclient to 4.3.28 notable changes: OpenSSL 1.1.0 is now supported, and c-ares has been updated While touching the package anyhow, it has been taught to pass down hardening flags, so that the various PKGSRC_USE_ flags now have effect.
This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.