From ${URL} : Monkeyd, a small, fast, and scalable web server, produces, at least on gentoo a world-readable log. # ls /var/log/monkeyd/master.log -la -rw-r--r-- 1 root root 0 Feb 24 19:56 /var/log/monkeyd/master.log Upstream site: http://www.monkey-project.com/
This should be fixed.
# Aaron Bauman <bman@gentoo.org> (1 Jul 2016) # Unpatched security vulnerabilities and dead upstream # per bugs #459274 and #473770 Removal in 30 days www-servers/monkeyd
(In reply to Aaron Bauman from comment #2) > # Aaron Bauman <bman@gentoo.org> (1 Jul 2016) > # Unpatched security vulnerabilities and dead upstream > # per bugs #459274 and #473770 Removal in 30 days > www-servers/monkeyd What! No. This has been fixed. Do not tell me your p.masked this package!
(In reply to Anthony Basile from comment #3) > (In reply to Aaron Bauman from comment #2) > > # Aaron Bauman <bman@gentoo.org> (1 Jul 2016) > > # Unpatched security vulnerabilities and dead upstream > > # per bugs #459274 and #473770 Removal in 30 days > > www-servers/monkeyd > > What! No. This has been fixed. Do not tell me your p.masked this package! I reverted this. (In reply to Anthony Basile from comment #3) > (In reply to Aaron Bauman from comment #2) > > # Aaron Bauman <bman@gentoo.org> (1 Jul 2016) > > # Unpatched security vulnerabilities and dead upstream > > # per bugs #459274 and #473770 Removal in 30 days > > www-servers/monkeyd > > What! No. This has been fixed. Do not tell me your p.masked this package! I have reverted this masking. You should not go around masking peoples packages without their acknowledgement expecially since this has been fixed.
(In reply to Anthony Basile from comment #4) > I have reverted this masking. You should not go around masking peoples > packages without their acknowledgement expecially since this has been fixed. In what version? We'll close our bugs as per to our usual process, thanks.
(In reply to Alex Legler from comment #5) > (In reply to Anthony Basile from comment #4) > > I have reverted this masking. You should not go around masking peoples > > packages without their acknowledgement expecially since this has been fixed. > > In what version? > > We'll close our bugs as per to our usual process, thanks. Since when is a world readable log a security bug which merits p.mask-ing and removal?
(In reply to Anthony Basile from comment #6) > (In reply to Alex Legler from comment #5) > > (In reply to Anthony Basile from comment #4) > > > I have reverted this masking. You should not go around masking peoples > > > packages without their acknowledgement expecially since this has been fixed. > > > > In what version? > > > > We'll close our bugs as per to our usual process, thanks. > > Since when is a world readable log a security bug which merits p.mask-ing > and removal? actually the problem isn't master.log which logs nothing you can't get with ps and netstat. the bigger problem is access.log and error.log in the default configuration. i can tighten that up, but this is not a security bug.
(In reply to Anthony Basile from comment #7) > (In reply to Anthony Basile from comment #6) > > (In reply to Alex Legler from comment #5) > > > (In reply to Anthony Basile from comment #4) > > > > I have reverted this masking. You should not go around masking peoples > > > > packages without their acknowledgement expecially since this has been fixed. > > > > > > In what version? > > > > > > We'll close our bugs as per to our usual process, thanks. > > > > Since when is a world readable log a security bug which merits p.mask-ing > > and removal? > > actually the problem isn't master.log which logs nothing you can't get with > ps and netstat. the bigger problem is access.log and error.log in the > default configuration. i can tighten that up, but this is not a security > bug. version 1.6.9-r1 and above restrict access to access.lgo and error.log.
(In reply to Anthony Basile from comment #8) > > version 1.6.9-r1 and above restrict access to access.lgo and error.log. to be clear 1.6.9-r1 and above fix the world readable logdir.
(In reply to Anthony Basile from comment #9) > (In reply to Anthony Basile from comment #8) > > > > version 1.6.9-r1 and above restrict access to access.lgo and error.log. > > to be clear 1.6.9-r1 and above fix the world readable logdir. may we call for stabilization of www-servers/monkeyd-1.6.9-r1? This will also fix bug 473770 giving your testing.
(In reply to Aaron Bauman from comment #10) > (In reply to Anthony Basile from comment #9) > > (In reply to Anthony Basile from comment #8) > > > > > > version 1.6.9-r1 and above restrict access to access.lgo and error.log. > > > > to be clear 1.6.9-r1 and above fix the world readable logdir. > > may we call for stabilization of www-servers/monkeyd-1.6.9-r1? This will > also fix bug 473770 giving your testing. wait a month. bug #473770 was never verified for any versions. it should be closed invalid.
(In reply to Anthony Basile from comment #11) > (In reply to Aaron Bauman from comment #10) > > (In reply to Anthony Basile from comment #9) > > > (In reply to Anthony Basile from comment #8) > > > > > > > > version 1.6.9-r1 and above restrict access to access.lgo and error.log. > > > > > > to be clear 1.6.9-r1 and above fix the world readable logdir. > > > > may we call for stabilization of www-servers/monkeyd-1.6.9-r1? This will > > also fix bug 473770 giving your testing. > > wait a month. > > bug #473770 was never verified for any versions. it should be closed > invalid. So the code bases are different?(In reply to Anthony Basile from comment #11) > (In reply to Aaron Bauman from comment #10) > > (In reply to Anthony Basile from comment #9) > > > (In reply to Anthony Basile from comment #8) > > > > > > > > version 1.6.9-r1 and above restrict access to access.lgo and error.log. > > > > > > to be clear 1.6.9-r1 and above fix the world readable logdir. > > > > may we call for stabilization of www-servers/monkeyd-1.6.9-r1? This will > > also fix bug 473770 giving your testing. > > wait a month. > > bug #473770 was never verified for any versions. it should be closed > invalid. Tomorrow will mark 1 month of the usual 30 day stabilization period, still another month?
(In reply to Aaron Bauman from comment #12) > (In reply to Anthony Basile from comment #11) > > > > > > bug #473770 was never verified for any versions. it should be closed > > invalid. > > So the code bases are different?(In reply to Anthony Basile from comment #11) Not enough information was given by the original reporter. After filing the bug he disappeared.
@arches, please stabilize the following: =www-servers/monkeyd-1.6.9-r1
(In reply to Aaron Bauman from comment #14) > @arches, please stabilize the following: > > =www-servers/monkeyd-1.6.9-r1 This is bug #585064
(In reply to Anthony Basile from comment #15) > (In reply to Aaron Bauman from comment #14) > > @arches, please stabilize the following: > > > > =www-servers/monkeyd-1.6.9-r1 > > This is bug #585064 You can call for stabilization in the security bug, which I mentioned on IRC as well. Makes tracking that much easier.
(In reply to Anthony Basile from comment #15) > (In reply to Aaron Bauman from comment #14) > > @arches, please stabilize the following: > > > > =www-servers/monkeyd-1.6.9-r1 > > This is bug #585064 I've finished the stabilization on all arches and removed the older version.
(In reply to Anthony Basile from comment #17) > (In reply to Anthony Basile from comment #15) > > (In reply to Aaron Bauman from comment #14) > > > @arches, please stabilize the following: > > > > > > =www-servers/monkeyd-1.6.9-r1 > > > > This is bug #585064 > > I've finished the stabilization on all arches and removed the older version. Thanks, Anthony! GLSA Vote: No
