Xymon Mailing List Archive search

Xymon 4.3.29 Released - Important Security Update

list Richard L. Hamilton
Wed, 24 Jul 2019 09:31:31 -0400
Message-Id: <user-f749b63af8c8@xymon.invalid>

Probably also in all the following:
-bash-4.1$ find . -type f -exec grep pragma {} +
./xymonnet/xymonnet.c:          #pragma GCC diagnostic push
./xymonnet/xymonnet.c:          #pragma GCC diagnostic ignored "-Wformat-truncation"
./xymonnet/xymonnet.c:          #pragma GCC diagnostic pop
./lib/holidays.c:                               #pragma GCC diagnostic push
./lib/holidays.c:                               #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/holidays.c:                               #pragma GCC diagnostic pop
./lib/acklog.c:                 #pragma GCC diagnostic push
./lib/acklog.c:                 #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/acklog.c:                 #pragma GCC diagnostic pop
./lib/tree.c:#pragma GCC diagnostic push
./lib/tree.c:#pragma GCC diagnostic ignored "-Wunused-result"
./lib/tree.c:#pragma GCC diagnostic pop
./lib/htmllog.c:        #pragma GCC diagnostic push
./lib/htmllog.c:        #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/htmllog.c:        #pragma GCC diagnostic pop
./lib/stackio.c:                #pragma GCC diagnostic push
./lib/stackio.c:                #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/stackio.c:                #pragma GCC diagnostic pop
./lib/timefunc.c:       #pragma GCC diagnostic push
./lib/timefunc.c:       #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/timefunc.c:       #pragma GCC diagnostic pop
./lib/misc.c:   #pragma GCC diagnostic push
./lib/misc.c:   #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/misc.c:   #pragma GCC diagnostic pop
./lib/eventlog.c:       #pragma GCC diagnostic push
./lib/eventlog.c:       #pragma GCC diagnostic ignored "-Wformat-truncation"
./lib/eventlog.c:       #pragma GCC diagnostic pop


On Jul 24, 2019, at 08:46, Richard L. Hamilton <user-af55987f6d56@xymon.invalid> wrote:

gcc prior to 4.6 gives the errors:

acklog.c: In function ?do_acklog?:
acklog.c:129:12: error: #pragma GCC diagnostic not allowed inside functions
acklog.c:130:12: error: #pragma GCC diagnostic not allowed inside functions
acklog.c:132:12: error: #pragma GCC diagnostic not allowed inside functions

Discussion of other software with a similar problem suggests a gcc version test for those.  Or just comment out those lines, for those who don't
want to install a newer gcc and don't want to wait for a version test to be added.

On Jul 23, 2019, at 12:11, Japheth Cleaver <user-87556346d4af@xymon.invalid> wrote:

On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
Hello all,

Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.

The specific CVEs in question are:
 CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
 CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
For clarification, the above CVEs only affect the *server* side of the Xymon monitoring system. Xymon clients are not affected.

-jc