From ${URL} : Monitorix, an open source system monitoring tool, was found to be vulnerable to two XSS vulnerabilities, which could allow attackers to execute arbitrary script code in a user's browser in the context of the Web server process, access sensitive data, or hijack a user's session. The issue is that the built-in HTTP server failed to adequately sanitize request strings of malicious JavaScript. So by leveraging this issue, an attacker may be able to inject arbitrary cookies. The same issue could also cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. Input passed via requests to the "handle_request()" function (lib/HTTPServer.pm) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The issue is said to be fixed in Monitorix 3.40. References: http://www.securityfocus.com/bid/63913/info http://secunia.com/advisories/55857/ http://www.monitorix.org/news.html#N340 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Created attachment 374326 [details] monitorix-3.5.0.ebuild The issue at the given Fedora link has been given medium status not trivial... Regardless of whatever it should be I have created ebuild for just released version 3.5.0. It have made some nice additions http://www.monitorix.org/news.html#N350 and changes at the same time. One of them is it checks for config at the new location as well hence the need of changed init file. Anyway I hope after review it makes in into portage tree as it seems quite some time for the security bug to be open. regards, WM
Created attachment 374330 [details] monitorix-3.5.0.init
Thank you very much for contributing; reviewed, minor changes (sort dependencies, shortened post install mesasges) and added support for systemd unit. + 23 May 2014; Tom Wijsman <TomWij@gentoo.org> +files/monitorix-3.5.1.init, + +monitorix-3.5.1.ebuild, -files/monitorix-3.0.0.init, + -monitorix-3.0.0-r1.ebuild, -monitorix-3.1.0.ebuild, -monitorix-3.2.1.ebuild, + metadata.xml: + Version bump to 3.5.1, removed old, added systemd unit support. Fixed security + bug #493434 (CVE-2013-7071); reported by Ago, based on a contribution by + Wojciech Myrda (vojcek). Security team, please proceed.
Maintainer(s), Thank you for your work and cleanup! No GLSA needed as there are no stable versions.
