CVE-2012-3513 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3513): munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command. CVE-2012-3512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3512): Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin. Maintainers, may we stabilize =net-analyzer/munin-2.0.8-r2 ?
Go for it.
(In reply to comment #1) > Go for it. Awesome, thanks. Arches, please test and mark stable: =net-analyzer/munin-2.0.8-r2 Target KEYWORDS : "amd64 ppc x86"
amd64 stable
net-analyzer/munin-2.0.8-r2 nowadays needs dev-perl/Test-Deep as well as dev-perl/Test-MockObject (which itself needs dev-perl/UNIVERSAL-isa & dev-perl/UNIVERSAL-can) to pass the testsuite here on x86. These two direct test-deps are not mentioned in the munin-ebuild right now and these packages are only keyworded (although they all look good to go).
Uhm I'm not sure why I didn't notice failure without those — I'll look into adding the deps in a moment then.
x86 stable
ppc stable
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in GLSA 201405-17 at http://security.gentoo.org/glsa/glsa-201405-17.xml by GLSA coordinator Sean Amoss (ackle).