From ${URL} : Christoph Biedl reported that Munin 2.0.18 fixes two denial of service flaws: * CVE-2013-6048, a node could cause excessive memory consumption on the Munin master. * CVE-2013-6359, a malicious plug-in could prevent data collection for the node. References: https://github.com/munin-monitoring/munin/blob/2.0.18/ChangeLog @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is now fixed as 2.0.19 is in tree.
Arches, please test and mark stable: =net-analyzer/munin-2.0.19 Target Keywords : "amd64 ppc x86"
ppc stable
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
Thanks for your work GLSA vote: no
GLSA vote: no. @Maintainers: cleanup time.
CVE-2013-6359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6359): Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cause a denial of service (abort data collection for node) via a plugin that uses "multigraph" as a multigraph service name.
CVE-2013-6048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6048): The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data.
Maintainer timeout, Cleanup done by me. Closed as fixed.