CVE-2017-14955 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955): Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report. References: http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8 https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes @Maintainer(s): Please provide a fixed ebuild, thank you.
net-analyzer/check_mk is now maintainer-needed.
I should point out that this ebuild is now half-useless because we needed to force USE=agent-only after removing mod_python. Let's last-rite it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c413569dc8e1ccbcadc6d3dd94fbeb5fb2d5cb9 commit 0c413569dc8e1ccbcadc6d3dd94fbeb5fb2d5cb9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-08-26 11:54:20 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-08-26 11:54:20 +0000 package.mask: Last rite net-analyzer/check_mk Bug: https://bugs.gentoo.org/632648 profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+)
(CC-ing maintainer of net-analyzer/check_mk_agent just in case the other package was affected as well)
Thanks! check_mk_agent isn't affected by this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a69dd861c8eceb208df573afaa97e9312bdf41b7 commit a69dd861c8eceb208df573afaa97e9312bdf41b7 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-09-29 10:06:27 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-09-29 10:08:45 +0000 net-analyzer/check_mk: Remove last-rited pkg Bug: https://bugs.gentoo.org/632648 Closes: https://bugs.gentoo.org/652634 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-analyzer/check_mk/Manifest | 2 - net-analyzer/check_mk/check_mk-1.2.4_p5-r1.ebuild | 323 ------------------- net-analyzer/check_mk/check_mk-1.2.8_p16.ebuild | 351 --------------------- .../check_mk/files/check_mk-1.2.4p5-setup.sh.patch | 39 --- .../files/check_mk-1.2.8p16-setup.sh.patch | 35 -- net-analyzer/check_mk/metadata.xml | 29 -- profiles/base/package.use.force | 5 - profiles/base/package.use.mask | 6 - profiles/package.mask | 7 - 9 files changed, 797 deletions(-)
unCC-ing treecleaners
Closing NoGLSA