On 7/23/2019 8:57 AM, Japheth Cleaver wrote:
Hello all,
Xymon 4.3.29 has been released to Sourceforge and should be propagating to mirrors as I write this. Along with an assortment of bug fixes and compilation compatibility fixes for recent glibc systems, this version contains several fixes for security vulnerabilities within some CGI parsing. Although some of these overflows are not exploitable, others, including an XSS vulnerability are. Fixes beyond these CVEs have been made throughout the library, web, and network code to help reduce the likelihood of similar issues in other areas. As a result, all users are encouraged to upgrade.
The specific CVEs in question are: ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
For clarification, the above CVEs only affect the *server* side of the Xymon monitoring system. Xymon clients are not affected.
-jc