oss-sec mailing list archives
Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws
From: Kenyon Ralph <kenyon () kenyonralph com>
Date: Wed, 18 Apr 2012 18:23:46 -0700
On 2012-04-18T18:37:09-0600, Kurt Seifried <kseifried () redhat com> wrote:
On 04/17/2012 11:16 PM, Helmut Grohne wrote:On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote:On 04/16/2012 11:34 PM, Helmut Grohne wrote:The basic requirement is that a plugin called vmstat is configured for the node localhost.localdomain. I just picked it as an example, cause it is present on my system. In practise any plugin for any host will do.Is this the default configuration?I am not that sure about the defaults, because I changed them. However running a Munin without any plugins is pointless. It is like running a mail server that does not transport any mail. You don't even have to guess the name of a configured plugin, because those images are linked from the html. Finding a configured plugin is really no issue on any sane munin installation. Sane administrators may have to restricted access to munin to themselves as to not expose the monitoring results to the public though. HelmutIf anyone can comment on this (default/not), and if you install a plugin does it expose it publicly or does the administrator have to enable remote access?
The packaging of munin node determines whether it will install symlinks for enabling plugins. The packaging of munin master determines whether a configuration for your httpd is installed and activated. On Debian, symlinks to enable plugins are installed by default, and an apache2 configuration is automatically activated. So, on Debian, if your httpd is publicly-accessible, the munin pages and CGI will be publicly-accessible. -- Kenyon Ralph
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request (minor) -- Two Munin graphing framework flaws Jan Lieskovsky (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 17)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 17)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 18)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kenyon Ralph (Apr 18)
- Re: [Packaging] Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws Holger Levsen (Apr 18)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 16)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Steve Schnepp (Apr 27)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 28)