Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-836-1 munin

Debian Security Advisory

DLA-836-1 munin -- LTS security update

Date Reported:

25 Feb 2017

Affected Packages:

munin

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 855705.
In Mitre's CVE dictionary: CVE-2017-6188.

More information:

Stevie Trujillo discovered a command injection vulnerability in munin, a network-wide graphing framework. The CGI script for drawing graphs allowed to pass arbitrary GET parameters to local shell command, allowing command execution as the user that runs the webserver.

For Debian 7 Wheezy, these problems have been fixed in version 2.0.6-4+deb7u3.

We recommend that you upgrade your munin packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS