Stay Secure with the Latest Linux Advisories

security advisorymoderatefedora

Fedora 32: 2021-fc24737ebc Moderate: Monitorix Basic Auth Bypass Fix

Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection,. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-fc24737ebc 2021-02-05 01:31:59.053776 --------------------------------------------------------------------------------Name : monitorix Product : Fedora 32 Version : 3.13.1 Release : 1.fc32 URL : https://www.monitorix.org/ Summary : A free, open source, lightweight system monitoring tool Description : Monitorix is a free, open source and lightweight system monitoring tool designed to monitor as many services and system resources as possible. It has been created to be used under production Linux/UNIX servers, but due to its simplicity and small size may also be used on embedded devices as well. --------------------------------------------------------------------------------Update Information: Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection, in an attempt to make the default behaviour more clear. All users using the 3.13.0 version are advised and encouraged to upgrade to this new version, which resolves the security issue. ---- This new version introduces three new modules: the long-awaited pgsql.pm capable of monitoring up to 9 databases of an unlimited number of PostgreSQL servers, the redis.pm and tinyproxy.pm whichare both also capable of monitoring an unlimited number of Redis and Tinyproxy servers respectively. This version also includes some interesting new features. The new CSS theming support will allow people to create their own color themes. The new support for the ss command in port.pm and nginx.pm modules. The ability to map the device names and also to include a title name in disk.pm module. The new stacked visualization of network stats available on a number of modules, and more. Also with this new version, Monitorix is able to be executed as a regular user instead of root. This is of course subject to the capabilities of each module to get statistics without using the superuser. The rest of new features, changes and bugs fixed are, as always, reflected in the Changes file. --------------------------------------------------------------------------------ChangeLog: * Wed Jan 27 2021 Jordi Sanfeliu - 3.13.1-1 - Updated to 3.13.1. * Fri Jan 22 2021 Jordi Sanfeliu - 3.13.0-1 - Updated to 3.13.0. --------------------------------------------------------------------------------References: [ 1 ] Bug #1919169 - monitorix-3.13.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1919169 [ 2 ] Bug #1920998 - monitorix-3.13.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1920998 [ 3 ] Bug #1921333 - CVE-2021-3325 monitorix: Basic Authentication bypass in a default installatio [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1921333 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-fc24737ebc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . The latest Monitorix update for Fedora addresses a security vulnerability related to Basic Authentication, incorporating enhanced default configurations for increased protection.. Monitorix Update,Fedora Security Fix,Basic Authentication Bypass,System Monitoring Tool,Open Source Software. . Severity: Important. LinuxSecurity.com Team

Feb 04, 2021 •Important Fedora