[-]
[+]
|
Changed |
munin.changes
|
|
[-]
[+]
|
Changed |
munin.spec
^
|
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/ChangeLog
^
|
@@ -1,5 +1,41 @@
-*- text -*-
+munin-2.0.18, 2013-11-12
+
+-------
+Summary
+-------
+
+Bugfix + secfix release.
+
+Note that this release has 2 security fixes :
+* Avoid a node DoS on bad plugin (CVE-2013-6359)
+* Avoid an OOM in HTML generation on bad multigraph data (CVE-2013-6048)
+
+Closes: #910, #1397, D:728840, C:CVE-2013-6359, C:CVE-2013-6048
+
+------------------
+Detailed Changelog
+------------------
+
+Kjetil Torgrim Homme:
+ common: add missing keywords
+ common: refactor the keywords to ease changes
+
+Matthias Schmitz:
+ Substitute some @@ vars in generate files.
+
+Steve Schnepp:
+ plugins/open_files: fix overrided used.warn/crit
+ node/asyncd: fix a crash case
+ node/asynd: avoid wake up each second
+ master: fix unexpected "warning limit" lines
+ master: avoid an endless loop in HTML generation
+ master: validate multigraph argument
+ master: don't abort node collection on bad plugin
+ p/ipmi_sensor_: fix the environ() usage
+
+
munin-2.0.17, 2013-07-19
-------
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/Makefile
^
|
@@ -213,7 +213,7 @@
# Dummy rule to enable parallel building
infiles: $(INFILES)
-build: infiles build-master build-common-prime build-node build-plugins $(JAVA_BUILD) build-man
+build: infiles build-master build-common-prime build-node build-plugins $(JAVA_BUILD) build-man substitue-confvar-inline
build/%: %.in
@echo "$< -> $@"
@@ -253,6 +253,47 @@
build-common-prime: build-common-pre common/blib/lib/Munin/Common/Defaults.pm build-common
+substitue-confvar-inline:
+ @sed -e 's|@@PREFIX@@|$(PREFIX)|g' \
+ -e 's|@@CONFDIR@@|$(CONFDIR)|g' \
+ -e 's|@@BINDIR@@|$(BINDIR)|g' \
+ -e 's|@@SBINDIR@@|$(SBINDIR)|g' \
+ -e 's|@@DOCDIR@@|$(DOCDIR)|g' \
+ -e 's|@@LIBDIR@@|$(LIBDIR)|g' \
+ -e 's|@@MANDIR@@|$(MANDIR)|g' \
+ -e 's|@@LOGDIR@@|$(LOGDIR)|g' \
+ -e 's|@@HTMLDIR@@|$(HTMLDIR)|g' \
+ -e 's|@@DBDIR@@|$(DBDIR)|g' \
+ -e 's|@@STATEDIR@@|$(STATEDIR)|g' \
+ -e 's|@@SPOOLDIR@@|$(SPOOLDIR)|g' \
+ -e 's|@@PERL@@|$(PERL)|g' \
+ -e 's|@@PERLLIB@@|$(PERLLIB)|g' \
+ -e 's|@@PYTHON@@|$(PYTHON)|g' \
+ -e 's|@@RUBY@@|$(RUBY)|g' \
+ -e 's|@@JAVARUN@@|$(JAVARUN)|g' \
+ -e 's|@@JAVALIBDIR@@|$(JAVALIBDIR)|g' \
+ -e 's|@@OSTYPE@@|$(OSTYPE)|g' \
+ -e 's|@@HOSTNAME@@|$(HOSTNAME)|g' \
+ -e 's|@@MKTEMP@@|$(MKTEMP)|g' \
+ -e 's|@@VERSION@@|$(VERSION)|g' \
+ -e 's|@@PLUGSTATE@@|$(PLUGSTATE)|g' \
+ -e 's|@@CGIDIR@@|$(CGIDIR)|g' \
+ -e 's|@@USER@@|$(USER)|g' \
+ -e 's|@@GROUP@@|$(GROUP)|g' \
+ -e 's|@@PLUGINUSER@@|$(PLUGINUSER)|g' \
+ -e 's|@@GOODSH@@|$(GOODSH)|g' \
+ -e 's|@@BASH@@|$(BASH)|g' \
+ -e 's|@@HASSETR@@|$(HASSETR)|g' \
+ --in-place \
+ ./master/blib/libdoc/Munin::Master::HTMLOld.3pm \
+ ./master/blib/lib/Munin/Master/HTMLOld.pm \
+ ./node/blib/sbin/munin-node-configure \
+ ./node/blib/sbin/munin-node \
+ ./node/blib/sbin/munin-run \
+ ./node/blib/sbin/munin-sched \
+ ./build/doc/munin-node.conf.5
+
+
build-common-pre: common/Build
cd common && $(PERL) Build code
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/RELEASE
^
|
@@ -1 +1 @@
-2.0.17
+2.0.18
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/common/lib/Munin/Common/Config.pm
^
|
@@ -10,43 +10,131 @@
# Functions here are unable to log as they don't know if they're used
# by the node or the master which use divergent logging facilities.
+# In fact, the list in %legal is only used by the master.
-my %legal = map { $_ => 1 } (
-
- "tmpldir", "ncsa", "ncsa_server", "ncsa_config", "rundir",
- "dbdir", "logdir", "htmldir", "includedir", "domain_order",
- "node_order", "graph_order", "graph_sources", "fork",
- "graph_title", "create_args", "graph_args", "graph_vlabel",
- "graph_vtitle", "graph_total", "graph_scale", "graph",
- "update", "host_name", "label", "cdef", "draw", "graph",
- "max", "min", "negative", "skipdraw", "type", "warning",
- "critical", "stack", "sum", "address", "htaccess", "warn",
- "use_default_name", "use_node_name", "port", "graph_noscale",
- "nsca", "nsca_server", "nsca_config", "extinfo", "fetch_data",
- "filename", "max_processes", "nagios", "info", "graph_info",
- "graph_category", "graph_strategy", "graph_width",
- "graph_height", "graph_sums", "local_address", "compare",
- "text", "command", "contact", "contacts", "max_messages",
- "always_send", "notify_alias", "line", "state",
- "graph_period", "cgiurl_graph", "cgiurl", "tls",
- "service_order", "category_order", "version",
- "tls_certificate", "tls_private_key", "tls_pem",
- "tls_verify_certificate", "tls_verify_depth", "tls_match",
- "tls_ca_certificate", "graph_data_size", "colour",
- "graph_printf", "ok", "unknown", "palette", "realservname",
- "cdef_name", "graphable", "process", "realname",
- "onlynullcdef", "group_order", "pipe", "pipe_command",
- "unknown_limit", "num_unknowns", "dropdownlimit",
- "max_graph_jobs", "max_cgi_graph_jobs", "munin_cgi_graph_jobs",
- "max_html_jobs", "cgitmpdir", "update_rate",
- "max_size_x", "max_size_y",
- "staticdir", "html_strategy",
- "rrdcached_socket", "graph_args_after",
- "graph_future", "trend", "predict",
- "html_rename",
- "worker_start_delay",
- "num_messages",
- );
+my %legal = map { $_ => 1 } qw(
+ address
+ always_send
+ category_order
+ cdef
+ cdef_name
+ cgitmpdir
+ cgiurl
+ cgiurl_graph
+ colour
+ command
+ compare
+ contact
+ contacts
+ create_args
+ critical
+ dbdir
+ domain_order
+ draw
+ dropdownlimit
+ extinfo
+ fetch_data
+ filename
+ fork
+ graph
+ graph
+ graphable
+ graph_args
+ graph_args_after
+ graph_category
+ graph_data_size
+ graph_future
+ graph_height
+ graph_info
+ graph_noscale
+ graph_order
+ graph_period
+ graph_printf
+ graph_scale
+ graph_sources
+ graph_strategy
+ graph_sums
+ graph_title
+ graph_total
+ graph_vlabel
+ graph_vtitle
+ graph_width
+ group_order
+ host_name
+ htaccess
+ htmldir
+ html_rename
+ html_strategy
+ includedir
+ info
+ label
+ line
+ local_address
+ logdir
+ max
+ max_cgi_graph_jobs
+ max_graph_jobs
+ max_html_jobs
+ max_messages
+ max_processes
+ max_size_x
+ max_size_y
+ min
+ munin_cgi_graph_jobs
+ nagios
+ ncsa
+ ncsa_config
+ ncsa_server
+ negative
+ node_order
+ notify_alias
+ nsca
+ nsca_config
+ nsca_server
+ num_messages
+ num_unknowns
+ ok
+ onlynullcdef
+ palette
+ pipe
+ pipe_command
+ port
+ predict
+ process
+ realname
+ realservname
+ rrdcached_socket
+ rundir
+ service_order
+ skipdraw
+ stack
+ state
+ staticdir
+ sum
+ text
+ timeout
+ tls
+ tls_ca_certificate
+ tls_certificate
+ tls_match
+ tls_pem
+ tls_private_key
+ tls_verify_certificate
+ tls_verify_depth
+ tmpldir
+ trend
+ type
+ unknown
+ unknown_limit
+ update
+ update_rate
+ use_default_name
+ use_node_name
+ version
+ warn
+ warning
+ worker_start_delay
+);
my %bools = map { $_ => 1} qw(yes no true false on off 1 0);
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/master/lib/Munin/Master/GraphOld.pm
^
|
@@ -1159,9 +1159,9 @@
unshift(@rrd_negatives,
"HRULE:" . $number . ($ldcolour ? "#$ldcolour" : "#$colour"));
}
- elsif (my $tmpwarn = munin_get($negfield, "warning",2)) {
+ elsif (my $tmpwarn = munin_get($negfield, "warning")) {
- my ($warn_min, $warn_max) = split(':', $tmpwarn);
+ my ($warn_min, $warn_max) = split(':', $tmpwarn,2);
if (defined($warn_min) and $warn_min ne '') {
unshift(
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/master/lib/Munin/Master/HTMLConfig.pm
^
|
@@ -176,6 +176,7 @@
$shrinkpath;
$shrinkpath =~ s/^[^\/]+\/?//, $counter++)
{
+ die ("Munin::Master::HTMLConfig ran into an endless loop") if ($counter >= 100);
$childnode->{'url' . $counter} = $shrinkpath;
}
@@ -218,6 +219,7 @@
$shrinkpath =~ /\//;
$shrinkpath =~ s/^[^\/]+\/*//, $counter++
) {
+ die ("Munin::Master::HTMLConfig ran into an endless loop") if ($counter >= 100);
$obj->{'url' . $counter} = $shrinkpath;
}
push @$cats, $obj;
@@ -317,6 +319,7 @@
$shrinkpath =~ /\//;
$shrinkpath =~ s/^[^\/]+\/*//, $counter++
) {
+ die ("Munin::Master::HTMLConfig ran into an endless loop") if ($counter >= 100);
$ret->{'url' . $counter} = $shrinkpath;
}
}
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/master/lib/Munin/Master/Node.pm
^
|
@@ -307,17 +307,28 @@
next if $line =~ /^\#/;
if ($line =~ m{\A multigraph \s+ (.+) }xms) {
- $correct++;
-
push_graphorder($service);
$service = $1;
if ($service eq 'multigraph') {
- die "[ERROR] SERVICE can't be named \"$service\" in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port};
+ ERROR "[ERROR] SERVICE can't be named \"$service\" in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port};
+ $errors++;
+ last;
}
+ if ($service =~ /(^\.|\.$|\.\.)/) {
+ ERROR "[ERROR] SERVICE \"$service\" contains dots in wrong places in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port};
+ $errors++;
+ last;
+ }
+ if ($service !~ m/^[-\w.:.]+$/) {
+ ERROR "[ERROR] SERVICE \"$service\" contains weird characters in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port};
+ $errors++;
+ last;
+ }
new_service($service) unless $global_config->{$service};
DEBUG "[CONFIG multigraph $plugin] Service is now $service";
+ $correct++;
}
elsif ($line =~ m{\A ([^\s\.]+) \s+ (.+?) \s* $}xms) {
$correct++;
@@ -463,16 +474,26 @@
next if $line =~ /^\#/;
if ($line =~ m{\A multigraph \s+ (.+) }xms) {
- $correct++;
-
$service = $1;
+ if ($service =~ /(^\.|\.$|\.\.)/) {
+ ERROR "[ERROR] SERVICE \"$service\" contains dots in wrong places in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port};
+ $errors++;
+ last;
+ }
+ if ($service !~ m/^[-\w.:.]+$/) {
+ ERROR "[ERROR] SERVICE \"$service\" contains weird characters in plugin $plugin on ".$self->{host}."/".$self->{address}."/".$self->{port};
+ $errors++;
+ last;
+ }
$values{$service} = {};
if ($service eq 'multigraph') {
+ $errors++;
ERROR "[ERROR] SERVICE can't be named \"$service\" in plugin $plugin on ".
$nodedesignation;
- croak("Plugin error. Please consult the log.");
+ last;
}
+ $correct++;
}
elsif ($line =~ m{\A ([^\.]+)\.value \s+ ([\S:]+) }xms) {
my ($data_source, $value, $when) = ($1, $2, $now);
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/node/_bin/munin-asyncd.in
^
|
@@ -145,12 +145,6 @@
MAIN: while($keepgoing) {
my $when = time;
- {
- # XXX - quickfix a bug that when sleeping too little, would
- # then sleep a whole $timeout
- $timeout = 1;
- }
-
my $when_next = $when + $timeout; # wake up at least every $timeout sec
my $sock;
PLUGIN: foreach my $plugin (@plugins) {
@@ -174,12 +168,16 @@
$sock = new IO::Socket::INET(
PeerAddr => "$host",
Proto => 'tcp'
- ) || die "Error creating socket: $!";
+ );
+
+ unless ($sock) {
+ warn "Error creating socket: $!, moving to next plugin to try again";
+ next;
+ }
+
<$sock>; # skip header
}
- # $sock is still not open. moving to next plugin to try again
- next unless $sock;
# Setting the command name for a useful top information
$process_name = "plugin:$plugin";
@@ -211,6 +209,8 @@
if ($sleep_sec > 0) {
print STDERR "[$$][$process_name] Sleeping $sleep_sec sec\n" if $verbose;
sleep $sleep_sec;
+ } else {
+ print STDERR "[$$][$process_name] Already late : should sleep $sleep_sec sec\n" if $verbose;
}
}
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/node/lib/Munin/Node/Config.pm
^
|
@@ -91,8 +91,10 @@
return if $self->_handled_by_net_server($var_name);
my %config_variables = map { $_ => 1 } qw(
+ global_timeout
ignore_file
paranoia
+ spooldir
timeout
tls
tls_ca_certificate
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/plugins/node.d.linux/open_files.in
^
|
@@ -47,13 +47,16 @@
echo 'graph_info This graph monitors the Linux open files table.'
echo 'used.label open files'
echo 'used.info The number of currently open files.'
- print_warning used
- print_critical used
+ computed_warning=$(awk '{printf "%d", $3*0.92}' < /proc/sys/fs/file-nr)
+ computed_critical=$(awk '{printf "%d", $3*0.98}' < /proc/sys/fs/file-nr)
+ p_warning=$(print_warning used)
+ p_critical=$(print_critical used)
+ [ -z "$p_warning" ] && echo "used.warning $computed_warning" || echo $p_warning
+ [ -z "$p_critical" ] && echo "used.critical $computed_critical" || echo $p_critical
echo 'max.label max open files'
echo 'max.info The maximum supported number of open files. Tune by modifying /proc/sys/fs/file-max.'
print_warning max
print_critical max
- awk '{printf "used.warning %d\nused.critical %d\n",$3*0.92,$3*0.98}' < /proc/sys/fs/file-nr
exit 0
fi
|
[-]
[+]
|
Changed |
munin-2.0.18.tar.bz2/plugins/node.d/ipmi_sensor_.in
^
|
@@ -69,7 +69,7 @@
import sys
import re
-CACHEDIR = os.environ['MUNIN_PLUGSTATE']
+CACHEDIR = environ['MUNIN_PLUGSTATE']
CACHEFILE = "plugin-ipmi_sensor.cache"
CACHEAGE = 120
CONFIG = '@@CONFDIR@@/ipmi'
|