Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id EA73A7ABE7 for ; Tue, 16 Feb 2016 05:58:58 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 64C8785FFF; Tue, 16 Feb 2016 05:58:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E663085FFA for ; Tue, 16 Feb 2016 05:58:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id Xu2dRNhxKk8A for ; Tue, 16 Feb 2016 05:58:57 +0000 (UTC) Received: from cvs.NetBSD.org (cvs.NetBSD.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 4B99D85F7F for ; Tue, 16 Feb 2016 05:58:57 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 3866CFBB7; Tue, 16 Feb 2016 05:58:57 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Tue, 16 Feb 2016 05:58:57 +0000 From: "S.P.Zeidler" Subject: CVS commit: pkgsrc/net To: pkgsrc-changes@NetBSD.org Reply-To: spz@netbsd.org X-Mailer: log_accum Message-Id: <20160216055857.3866CFBB7@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: spz Date: Tue Feb 16 05:58:57 UTC 2016 Modified Files: pkgsrc/net/xymon: Makefile PLIST distinfo pkgsrc/net/xymon/patches: patch-configure pkgsrc/net/xymonclient: Makefile distinfo pkgsrc/net/xymonclient/patches: patch-configure Log Message: update of xymon and xymonclient from 4.3.17 to 4.3.25 The following security issues are fixed with this update: * Resolve buffer overflow when handling "config" file requests (CVE-2016-2054) * Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory (symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename end in '.cfg' by default * Resolve shell command injection vulnerability in useradm and chpasswd CGIs (CVE-2016-2056) * Tighten permissions on the xymond BFQ used for message submission to restrict access to the xymon user and group. It is now 0620. (CVE-2016-2057) * Restrict javascript execution in current and historical status messages by the addition of appropriate Content-Security-Policy headers to prevent XSS attacks. (CVE-2016-2058) * Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script. Thank you to Mark Felder for noting the impact and Martin Lenko for the original patch. * Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by eliminating the shell script CGI wrappers Please refer to https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download for further information on fixes and new features. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 pkgsrc/net/xymon/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/xymon/PLIST cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/xymon/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/xymon/patches/patch-configure cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/xymonclient/Makefile cvs rdiff -u -r1.13 -r1.14 pkgsrc/net/xymonclient/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/xymonclient/patches/patch-configure Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.