Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598322 (CVE-2016-7067) - <app-admin/monit-5.20.0: CSRF
Summary: <app-admin/monit-5.20.0: CSRF
Status: RESOLVED FIXED
Alias: CVE-2016-7067
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-28 09:39 UTC by Agostino Sarubbo
Modified: 2017-02-01 09:14 UTC (History)
1 user (show)

See Also:
Package list:
=app-admin/monit-5.20.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-28 09:39:21 UTC
From ${URL} :

I'd found a CSRF issue in Monit(https://mmonit.com/monit/) in the Service
Manager application that affects versions 5.19.0 and earlier. Red Hat has
assigned CVE-2016-7067 to this issue. Monit has fixed this issue in version
5.20.0

Description:
The forms in Monit's Service Manager are vulnerable to a cross site request
forgery attack.
Successful exploitation will enable an attacker to disable/enable all
monitoring for a particular host, disable/enable monitoring for a specific
service.

Upstream Commit:
https://bitbucket.org/tildeslash/monit/commits/c6ec3820e627f85417053e6336de2987f2d863e3?at=master

Adith Sudhakar


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-10-28 09:47:19 UTC
Arches please test and mark stable =app-admin/monit-5.20.0 with target KEYWORDS:

amd64 ppc ~ppc64 x86 ~amd64-linux
Comment 2 Agostino Sarubbo gentoo-dev 2016-11-04 08:22:06 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-04 08:25:24 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-15 16:01:54 UTC
ppc stable.

Maintainer(s), please cleanup.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-15 19:30:26 UTC
GLSA Vote: No