Debian Security Advisory DSA 3495-1 (xymon - security update)

Markus Krell discovered that xymon, a network- and applications-monitoring system, was vulnerable to the following security issues: CVE-2016-2054The incorrect handling of user-supplied input in the config command can trigger a stack-based buffer overflow, resulting in denial of service (via application crash) or remote code execution. CVE-2016-2055The incorrect handling of user-supplied input in the config command can lead to an information leak by serving sensitive configuration files to a remote user. CVE-2016-2056 The commands handling password management do not properly validate user-supplied input, and are thus vulnerable to shell command injection by a remote user. CVE-2016-2057 Incorrect permissions on an internal queuing system allow a user with a local account on the xymon master server to bypass all network-based access control lists, and thus inject messages directly into xymon. CVE-2016-2058 Incorrect escaping of user-supplied input in status webpages can be used to trigger reflected cross-site scripting attacks.

xymon on Debian Linux

This check tests the installed software version using the apt package manager.

For the stable distribution (jessie), these problems have been fixed in version 4.3.17-6+deb8u1. We recommend that you upgrade your xymon packages.