The release notes for 5.25.3 mention two security issues: https://mmonit.com/monit/changes/ Fixed: XSS vulnerabilitty: HTML escape the log file content when viewed via Monit GUI. Thanks to Zack Flack for report. Fixed: Buffer over-read vulnerability in URL decoding for specially crafted URLs. Thanks to Zack Flack for report. Furthermore there's a use after free bug fixed that I reported a while ago: https://bitbucket.org/tildeslash/monit/issues/764 5.25.3 is already in the tree, but not stabilized yet.
So let's stabilize...
x86 stable
amd64 stable
Looking good on ppc. # cat monit-679808.report USE tests started on Do 14. Mär 16:40:46 CET 2019 FEATURES=' test' USE='' succeeded for =app-admin/monit-5.25.3 USE='-ipv6 -libressl -pam -ssl' succeeded for =app-admin/monit-5.25.3 USE='ipv6 -libressl -pam -ssl' succeeded for =app-admin/monit-5.25.3 USE='ipv6 libressl -pam -ssl' succeeded for =app-admin/monit-5.25.3 USE='-ipv6 -libressl pam -ssl' succeeded for =app-admin/monit-5.25.3 USE='ipv6 -libressl pam -ssl' succeeded for =app-admin/monit-5.25.3 USE='ipv6 libressl pam -ssl' succeeded for =app-admin/monit-5.25.3 USE='ipv6 -libressl -pam ssl' succeeded for =app-admin/monit-5.25.3 USE='ipv6 libressl -pam ssl' : blocked packages (probably) for =app-admin/monit-5.25.3 USE='-ipv6 -libressl pam ssl' succeeded for =app-admin/monit-5.25.3 USE='ipv6 -libressl pam ssl' succeeded for =app-admin/monit-5.25.3 USE='-ipv6 libressl pam ssl' : blocked packages (probably) for =app-admin/monit-5.25.3 USE='ipv6 libressl pam ssl' : blocked packages (probably) for =app-admin/monit-5.25.3
ppc stable thanks to ernsteiswuerfel \o/
Please clean vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe5b8b3986e2260e658318eb2b368d17710674b6 commit fe5b8b3986e2260e658318eb2b368d17710674b6 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-04-09 05:21:36 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-04-09 05:21:36 +0000 app-admin/monit: Security cleanup Bug: https://bugs.gentoo.org/679808 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-admin/monit/Manifest | 2 -- app-admin/monit/monit-5.25.1.ebuild | 51 ------------------------------ app-admin/monit/monit-5.25.2-r1.ebuild | 58 ---------------------------------- 3 files changed, 111 deletions(-)
*** Bug 711216 has been marked as a duplicate of this bug. ***
