Changes - j0ke.net Open Build Service

Changes of Revision 38

[-] [+]	Changed	munin.changes
@@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Mon Dec 2 12:43:03 UTC 2013 - cs@linux-administrator.com + +- Update to security release 2.0.18 + +------------------------------------------------------------------- Wed Jul 31 20:17:52 UTC 2013 - cs@linux-administrator.com - Update to release 2.0.17
[-] [+]	Changed	munin.spec ^
@@ -1,6 +1,6 @@ # norootforbuild #!BuildIgnore: post-build-checks -%define pversion 2.0.17 +%define pversion 2.0.18 %define confdir /etc/munin %define libdir /usr/share/munin %define htmldir /srv/www/munin @@ -10,7 +10,7 @@ %define statedir /var/run/munin Name: munin -Version: 2.0.17 +Version: 2.0.18 Release: 1 Summary: Network-wide graphing framework (grapher/gatherer)
[-] [+]	Changed	munin-2.0.18.tar.bz2/ChangeLog ^
@@ -1,5 +1,41 @@ -- text -- +munin-2.0.18, 2013-11-12 + +------- +Summary +------- + +Bugfix + secfix release. + +Note that this release has 2 security fixes : +* Avoid a node DoS on bad plugin (CVE-2013-6359) +* Avoid an OOM in HTML generation on bad multigraph data (CVE-2013-6048) + +Closes: #910, #1397, D:728840, C:CVE-2013-6359, C:CVE-2013-6048 + +------------------ +Detailed Changelog +------------------ + +Kjetil Torgrim Homme: + common: add missing keywords + common: refactor the keywords to ease changes + +Matthias Schmitz: + Substitute some @@ vars in generate files. + +Steve Schnepp: + plugins/open_files: fix overrided used.warn/crit + node/asyncd: fix a crash case + node/asynd: avoid wake up each second + master: fix unexpected "warning limit" lines + master: avoid an endless loop in HTML generation + master: validate multigraph argument + master: don't abort node collection on bad plugin + p/ipmi_sensor_: fix the environ() usage + + munin-2.0.17, 2013-07-19 -------
[-] [+]	Changed	munin-2.0.18.tar.bz2/Makefile ^
@@ -213,7 +213,7 @@ # Dummy rule to enable parallel building infiles: $(INFILES) -build: infiles build-master build-common-prime build-node build-plugins $(JAVA_BUILD) build-man +build: infiles build-master build-common-prime build-node build-plugins $(JAVA_BUILD) build-man substitue-confvar-inline build/%: %.in @echo "$< -> $@" @@ -253,6 +253,47 @@ build-common-prime: build-common-pre common/blib/lib/Munin/Common/Defaults.pm build-common +substitue-confvar-inline: + @sed -e 's\|@@PREFIX@@\|$(PREFIX)\|g' \ + -e 's\|@@CONFDIR@@\|$(CONFDIR)\|g' \ + -e 's\|@@BINDIR@@\|$(BINDIR)\|g' \ + -e 's\|@@SBINDIR@@\|$(SBINDIR)\|g' \ + -e 's\|@@DOCDIR@@\|$(DOCDIR)\|g' \ + -e 's\|@@LIBDIR@@\|$(LIBDIR)\|g' \ + -e 's\|@@MANDIR@@\|$(MANDIR)\|g' \ + -e 's\|@@LOGDIR@@\|$(LOGDIR)\|g' \ + -e 's\|@@HTMLDIR@@\|$(HTMLDIR)\|g' \ + -e 's\|@@DBDIR@@\|$(DBDIR)\|g' \ + -e 's\|@@STATEDIR@@\|$(STATEDIR)\|g' \ + -e 's\|@@SPOOLDIR@@\|$(SPOOLDIR)\|g' \ + -e 's\|@@PERL@@\|$(PERL)\|g' \ + -e 's\|@@PERLLIB@@\|$(PERLLIB)\|g' \ + -e 's\|@@PYTHON@@\|$(PYTHON)\|g' \ + -e 's\|@@RUBY@@\|$(RUBY)\|g' \ + -e 's\|@@JAVARUN@@\|$(JAVARUN)\|g' \ + -e 's\|@@JAVALIBDIR@@\|$(JAVALIBDIR)\|g' \ + -e 's\|@@OSTYPE@@\|$(OSTYPE)\|g' \ + -e 's\|@@HOSTNAME@@\|$(HOSTNAME)\|g' \ + -e 's\|@@MKTEMP@@\|$(MKTEMP)\|g' \ + -e 's\|@@VERSION@@\|$(VERSION)\|g' \ + -e 's\|@@PLUGSTATE@@\|$(PLUGSTATE)\|g' \ + -e 's\|@@CGIDIR@@\|$(CGIDIR)\|g' \ + -e 's\|@@USER@@\|$(USER)\|g' \ + -e 's\|@@GROUP@@\|$(GROUP)\|g' \ + -e 's\|@@PLUGINUSER@@\|$(PLUGINUSER)\|g' \ + -e 's\|@@GOODSH@@\|$(GOODSH)\|g' \ + -e 's\|@@BASH@@\|$(BASH)\|g' \ + -e 's\|@@HASSETR@@\|$(HASSETR)\|g' \ + --in-place \ + ./master/blib/libdoc/Munin::Master::HTMLOld.3pm \ + ./master/blib/lib/Munin/Master/HTMLOld.pm \ + ./node/blib/sbin/munin-node-configure \ + ./node/blib/sbin/munin-node \ + ./node/blib/sbin/munin-run \ + ./node/blib/sbin/munin-sched \ + ./build/doc/munin-node.conf.5 + + build-common-pre: common/Build cd common && $(PERL) Build code
[-] [+]	Changed	munin-2.0.18.tar.bz2/RELEASE ^
@@ -1 +1 @@ -2.0.17 +2.0.18
[-] [+]	Changed	munin-2.0.18.tar.bz2/common/lib/Munin/Common/Config.pm ^
@@ -10,43 +10,131 @@ # Functions here are unable to log as they don't know if they're used # by the node or the master which use divergent logging facilities. +# In fact, the list in %legal is only used by the master. -my %legal = map { $_ => 1 } ( - - "tmpldir", "ncsa", "ncsa_server", "ncsa_config", "rundir", - "dbdir", "logdir", "htmldir", "includedir", "domain_order", - "node_order", "graph_order", "graph_sources", "fork", - "graph_title", "create_args", "graph_args", "graph_vlabel", - "graph_vtitle", "graph_total", "graph_scale", "graph", - "update", "host_name", "label", "cdef", "draw", "graph", - "max", "min", "negative", "skipdraw", "type", "warning", - "critical", "stack", "sum", "address", "htaccess", "warn", - "use_default_name", "use_node_name", "port", "graph_noscale", - "nsca", "nsca_server", "nsca_config", "extinfo", "fetch_data", - "filename", "max_processes", "nagios", "info", "graph_info", - "graph_category", "graph_strategy", "graph_width", - "graph_height", "graph_sums", "local_address", "compare", - "text", "command", "contact", "contacts", "max_messages", - "always_send", "notify_alias", "line", "state", - "graph_period", "cgiurl_graph", "cgiurl", "tls", - "service_order", "category_order", "version", - "tls_certificate", "tls_private_key", "tls_pem", - "tls_verify_certificate", "tls_verify_depth", "tls_match", - "tls_ca_certificate", "graph_data_size", "colour", - "graph_printf", "ok", "unknown", "palette", "realservname", - "cdef_name", "graphable", "process", "realname", - "onlynullcdef", "group_order", "pipe", "pipe_command", - "unknown_limit", "num_unknowns", "dropdownlimit", - "max_graph_jobs", "max_cgi_graph_jobs", "munin_cgi_graph_jobs", - "max_html_jobs", "cgitmpdir", "update_rate", - "max_size_x", "max_size_y", - "staticdir", "html_strategy", - "rrdcached_socket", "graph_args_after", - "graph_future", "trend", "predict", - "html_rename", - "worker_start_delay", - "num_messages", - ); +my %legal = map { $_ => 1 } qw( + address + always_send + category_order + cdef + cdef_name + cgitmpdir + cgiurl + cgiurl_graph + colour + command + compare + contact + contacts + create_args + critical + dbdir + domain_order + draw + dropdownlimit + extinfo + fetch_data + filename + fork + graph + graph + graphable + graph_args + graph_args_after + graph_category + graph_data_size + graph_future + graph_height + graph_info + graph_noscale + graph_order + graph_period + graph_printf + graph_scale + graph_sources + graph_strategy + graph_sums + graph_title + graph_total + graph_vlabel + graph_vtitle + graph_width + group_order + host_name + htaccess + htmldir + html_rename + html_strategy + includedir + info + label + line + local_address + logdir + max + max_cgi_graph_jobs + max_graph_jobs + max_html_jobs + max_messages + max_processes + max_size_x + max_size_y + min + munin_cgi_graph_jobs + nagios + ncsa + ncsa_config + ncsa_server + negative + node_order + notify_alias + nsca + nsca_config + nsca_server + num_messages + num_unknowns + ok + onlynullcdef + palette + pipe + pipe_command + port + predict + process + realname + realservname + rrdcached_socket + rundir + service_order + skipdraw + stack + state + staticdir + sum + text + timeout + tls + tls_ca_certificate + tls_certificate + tls_match + tls_pem + tls_private_key + tls_verify_certificate + tls_verify_depth + tmpldir + trend + type + unknown + unknown_limit + update + update_rate + use_default_name + use_node_name + version + warn + warning + worker_start_delay +); my %bools = map { $_ => 1} qw(yes no true false on off 1 0);
[-] [+]	Changed	munin-2.0.18.tar.bz2/master/lib/Munin/Master/GraphOld.pm ^
@@ -1159,9 +1159,9 @@ unshift(@rrd_negatives, "HRULE:" . $number . ($ldcolour ? "#$ldcolour" : "#$colour")); } - elsif (my $tmpwarn = munin_get($negfield, "warning",2)) { + elsif (my $tmpwarn = munin_get($negfield, "warning")) { - my ($warn_min, $warn_max) = split(':', $tmpwarn); + my ($warn_min, $warn_max) = split(':', $tmpwarn,2); if (defined($warn_min) and $warn_min ne '') { unshift(
[-] [+]	Changed	munin-2.0.18.tar.bz2/master/lib/Munin/Master/HTMLConfig.pm ^
@@ -176,6 +176,7 @@ $shrinkpath; $shrinkpath =~ s/^[^\/]+\/?//, $counter++) { + die ("Munin::Master::HTMLConfig ran into an endless loop") if ($counter >= 100); $childnode->{'url' . $counter} = $shrinkpath; } @@ -218,6 +219,7 @@ $shrinkpath =~ /\//; $shrinkpath =~ s/^[^\/]+\///, $counter++ ) { + die ("Munin::Master::HTMLConfig ran into an endless loop") if ($counter >= 100); $obj->{'url' . $counter} = $shrinkpath; } push @$cats, $obj; @@ -317,6 +319,7 @@ $shrinkpath =~ /\//; $shrinkpath =~ s/^[^\/]+\///, $counter++ ) { + die ("Munin::Master::HTMLConfig ran into an endless loop") if ($counter >= 100); $ret->{'url' . $counter} = $shrinkpath; } }
[-] [+]	Changed	munin-2.0.18.tar.bz2/master/lib/Munin/Master/Node.pm ^
@@ -307,17 +307,28 @@ next if $line =~ /^\#/; if ($line =~ m{\A multigraph \s+ (.+) }xms) { - $correct++; - push_graphorder($service); $service = $1; if ($service eq 'multigraph') { - die "[ERROR] SERVICE can't be named \"$service\" in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port}; + ERROR "[ERROR] SERVICE can't be named \"$service\" in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port}; + $errors++; + last; } + if ($service =~ /(^\.\|\.$\|\.\.)/) { + ERROR "[ERROR] SERVICE \"$service\" contains dots in wrong places in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port}; + $errors++; + last; + } + if ($service !~ m/^[-\w.:.]+$/) { + ERROR "[ERROR] SERVICE \"$service\" contains weird characters in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port}; + $errors++; + last; + } new_service($service) unless $global_config->{$service}; DEBUG "[CONFIG multigraph $plugin] Service is now $service"; + $correct++; } elsif ($line =~ m{\A ([^\s\.]+) \s+ (.+?) \s* $}xms) { $correct++; @@ -463,16 +474,26 @@ next if $line =~ /^\#/; if ($line =~ m{\A multigraph \s+ (.+) }xms) { - $correct++; - $service = $1; + if ($service =~ /(^\.\|\.$\|\.\.)/) { + ERROR "[ERROR] SERVICE \"$service\" contains dots in wrong places in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port}; + $errors++; + last; + } + if ($service !~ m/^[-\w.:.]+$/) { + ERROR "[ERROR] SERVICE \"$service\" contains weird characters in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port}; + $errors++; + last; + } $values{$service} = {}; if ($service eq 'multigraph') { + $errors++; ERROR "[ERROR] SERVICE can't be named \"$service\" in plugin $plugin on ". $nodedesignation; - croak("Plugin error. Please consult the log."); + last; } + $correct++; } elsif ($line =~ m{\A ([^\.]+)\.value \s+ ([\S:]+) }xms) { my ($data_source, $value, $when) = ($1, $2, $now);
[-] [+]	Changed	munin-2.0.18.tar.bz2/node/_bin/munin-asyncd.in ^
@@ -145,12 +145,6 @@ MAIN: while($keepgoing) { my $when = time; - { - # XXX - quickfix a bug that when sleeping too little, would - # then sleep a whole $timeout - $timeout = 1; - } - my $when_next = $when + $timeout; # wake up at least every $timeout sec my $sock; PLUGIN: foreach my $plugin (@plugins) { @@ -174,12 +168,16 @@ $sock = new IO::Socket::INET( PeerAddr => "$host", Proto => 'tcp' - ) \|\| die "Error creating socket: $!"; + ); + + unless ($sock) { + warn "Error creating socket: $!, moving to next plugin to try again"; + next; + } + <$sock>; # skip header } - # $sock is still not open. moving to next plugin to try again - next unless $sock; # Setting the command name for a useful top information $process_name = "plugin:$plugin"; @@ -211,6 +209,8 @@ if ($sleep_sec > 0) { print STDERR "[$$][$process_name] Sleeping $sleep_sec sec\n" if $verbose; sleep $sleep_sec; + } else { + print STDERR "[$$][$process_name] Already late : should sleep $sleep_sec sec\n" if $verbose; } }
[-] [+]	Changed	munin-2.0.18.tar.bz2/node/lib/Munin/Node/Config.pm ^
@@ -91,8 +91,10 @@ return if $self->_handled_by_net_server($var_name); my %config_variables = map { $_ => 1 } qw( + global_timeout ignore_file paranoia + spooldir timeout tls tls_ca_certificate
[-] [+]	Changed	munin-2.0.18.tar.bz2/plugins/node.d.linux/open_files.in ^
@@ -47,13 +47,16 @@ echo 'graph_info This graph monitors the Linux open files table.' echo 'used.label open files' echo 'used.info The number of currently open files.' - print_warning used - print_critical used + computed_warning=$(awk '{printf "%d", $30.92}' < /proc/sys/fs/file-nr) + computed_critical=$(awk '{printf "%d", $30.98}' < /proc/sys/fs/file-nr) + p_warning=$(print_warning used) + p_critical=$(print_critical used) + [ -z "$p_warning" ] && echo "used.warning $computed_warning" \|\| echo $p_warning + [ -z "$p_critical" ] && echo "used.critical $computed_critical" \|\| echo $p_critical echo 'max.label max open files' echo 'max.info The maximum supported number of open files. Tune by modifying /proc/sys/fs/file-max.' print_warning max print_critical max - awk '{printf "used.warning %d\nused.critical %d\n",$30.92,$30.98}' < /proc/sys/fs/file-nr exit 0 fi
[-] [+]	Changed	munin-2.0.18.tar.bz2/plugins/node.d/ipmi_sensor_.in ^
@@ -69,7 +69,7 @@ import sys import re -CACHEDIR = os.environ['MUNIN_PLUGSTATE'] +CACHEDIR = environ['MUNIN_PLUGSTATE'] CACHEFILE = "plugin-ipmi_sensor.cache" CACHEAGE = 120 CONFIG = '@@CONFDIR@@/ipmi'