Opened at 2013-10-26T16:58:52+02:00
Closed at 2013-12-02T13:55:35+01:00
#1397 closed defect (fixed)
Malicious plugin can abort data collection for a node
Reported by: | cbiedl | Owned by: | nobody |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | master | Version: | 2.0.6 |
Severity: | major | Keywords: | |
Cc: |
Description
Hi there,
using "multigraph" as a multigraph service name is not accepted by
Munin::Master::Node. The check however dies (in config) or croaks
(in fetch), causing in the connection being dropped and no data
gathered for that node. That's a bit harsh.
The patch below lowers that situation to two error messages.
Impact is rather small as this affects the data for that node itself.
A malicious plugin still does harm, but if an evil guy is able to
control which plugins are run on a node, no longer collecting munin
data for that one is not one of the bigger concerns.
Cheers,
Christoph
Attachments (1)
Change History (2)
Changed at 2013-10-26T16:59:11+02:00 by cbiedl
comment:1 Changed at 2013-12-02T13:55:35+01:00 by cbiedl
- Resolution set to fixed
- Status changed from new to closed
This was assigned CVE-2013-6359 and fixed in 2.0.18