commit munin for openSUSE:Factory
Hello community,
here is the log from the commit of package munin for openSUSE:Factory checked in at 2017-03-12 19:59:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/munin (Old)
and /work/SRC/openSUSE:Factory/.munin.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "munin"
Sun Mar 12 19:59:22 2017 rev:9 rq:461943 version:2.0.32
Changes:
--------
--- /work/SRC/openSUSE:Factory/munin/munin.changes 2017-02-19 01:00:30.424006359 +0100
+++ /work/SRC/openSUSE:Factory/.munin.new/munin.changes 2017-03-12 19:59:27.872262902 +0100
@@ -1,0 +2,23 @@
+Thu Mar 2 13:45:33 UTC 2017 - aj@ajaissle.de
+
+- fix source url
+- update to 2.0.32
+- remove CVE-2017-6188-fix-parameter-injection.patch (applied upstream)
+
+-------------------------------------------------------------------
+Thu Feb 23 12:33:21 UTC 2017 - wr@rosenauer.org
+
+- fix CVE-2017-6188: munin-cgi-graph local file write vulnerability
+ (boo#1026539, CVE-2017-6188-fix-parameter-injection.patch)
+
+-------------------------------------------------------------------
+Sun Feb 19 16:08:24 UTC 2017 - wr@rosenauer.org
+
+- update to version 2.0.30
+ Bugfix releases (closes the following issues since 2.0.25)
+ 2.0.26: Closes: D:761190, GH:426
+ 2.0.27: Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714
+ 2.0.29: Closes: D:847649, D:849383
+ 2.0.30: Closes: GH:745, GH:771, GH:783
+
+-------------------------------------------------------------------
Old:
----
munin-2.0.25.tar.gz
New:
----
munin-2.0.32.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ munin.spec ++++++
--- /var/tmp/diff_new_pack.y0NpUH/_old 2017-03-12 19:59:29.807989002 +0100
+++ /var/tmp/diff_new_pack.y0NpUH/_new 2017-03-12 19:59:29.811988437 +0100
@@ -1,7 +1,7 @@
#
# spec file for package munin
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,13 +24,13 @@
%define active_by_default 0
Name: munin
-Version: 2.0.25
+Version: 2.0.32
Release: 0
Summary: Network-wide graphing framework (grapher/gatherer)
License: GPL-2.0
Group: System/Monitoring
Url: http://munin-monitoring.org/
-Source0: http://heanet.dl.sourceforge.net/sourceforge/%{name}/%{name}-%{version}.tar.gz
+Source0: http://downloads.munin-monitoring.org/%{name}/stable/%{version}/%{name}-%{version}.tar.gz
Source1: Makefile.config
Source2: munin-node.rc
Source3: munin.cron.d
@@ -100,10 +100,10 @@
%package node
Summary: Network-wide graphing framework (node)
-Group: System/Monitoring
# some scripts need logtail which is part of package logdigest in openSUSE
# problem with logdigest is that it installs a cronjob for itself which
# might be unwanted
+Group: System/Monitoring
Recommends: logdigest
Requires: perl-HTML-Template
Requires: perl-Log-Log4perl
++++++ munin-2.0.25.tar.gz -> munin-2.0.32.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/munin-2.0.25/ChangeLog new/munin-2.0.32/ChangeLog
--- old/munin-2.0.25/ChangeLog 2014-11-24 22:46:24.000000000 +0100
+++ new/munin-2.0.32/ChangeLog 2017-03-01 20:43:49.000000000 +0100
@@ -1,5 +1,216 @@
-*- text -*-
+munin-2.0.32, 2017-03-01
+
+-------
+Summary
+-------
+
+Bugfix release.
+
+Closes: #802, DH:856455
+
+------------------
+Detailed Changelog
+------------------
+
+Steve Schnepp (1):
+ cgi: handle the empty string in CGI arguments
+
+
+munin-2.0.31, 2017-02-25
+
+-------
+Summary
+-------
+
+Bugfix release.
+
+Closes: GH:607
+
+------------------
+Detailed Changelog
+------------------
+
+Kenyon Ralph (1):
+ ntp_kernel plugins: convert ntpq output to seconds
+
+
+munin-2.0.30.1, 2017-02-25
+
+-------
+Summary
+-------
+
+Security release.
+
+Closes: GH:721, D:855705, CVE-2017-6188
+
+------------------
+Detailed Changelog
+------------------
+
+Steve Schnepp (1):
+ Fix wrong parameter expansion in CGI
+
+
+munin-2.0.30, 2017-01-18
+
+-------
+Summary
+-------
+
+Bugfix release.
+
+Closes: GH:745, GH:771, GH:783
+
+------------------
+Detailed Changelog
+------------------
+
+Kenyon Ralph (2):
+ Revert "if_: check for non-empty and >0 before reporting speed (thanks to ssm)"
+ plugins/linux/meminfo: correct typo
+
+Yu Watanabe (1):
+ Revert "munin_stats plugin: only graph munin-graph if graph_strategy=cron"
+
+
+munin-2.0.29, 2016-12-31
+
+-------
+Summary
+-------
+
+Bugfix release.
+
+Closes: D:847649, D:849383
+
+------------------
+Detailed Changelog
+------------------
+
+Artur Smet (1):
+ Add queries for PostgreSQL 9.4
+
+Peter J. Holzer (1):
+ p/postgres_querylength_: don't stack times
+
+Vincas Dargis (1):
+ Update postgres_connections_ for PostgreSQL 9.6
+
+
+
+munin-2.0.28, 2016-12-04
+
+-------
+Summary
+-------
+
+Bugfix release.
+
+------------------
+Detailed Changelog
+------------------
+
+Dr. Nagy Elem�r K�roly (1):
+ Visible graph titles => Ctrl-F works in browsers.
+
+IWAI, Masaharu (1):
+ autodetect the node encoding
+
+Kim B. Heino (3):
+ if_: /sys/class/net/ reports speed 0 for some devices
+ if_, if_err_: add more virtual devices like gre0 and bond0.99 to skip list
+ if_: check for non-empty and >0 before reporting speed (thanks to ssm)
+
+Lars Kruse (1):
+ plugin munin_stats: fix message typo
+
+Mark H. Wood (1):
+ Replace trivial use of Netcat with our own gadget to test for an open port.
+
+Stig Sandbeck Mathisen (1):
+ Add configuration for ssh master-node transport
+
+Tomohiro Hosaka (1):
+ s/IMGWEEKSUM/IMGYEARSUM/
+
+sstj (1):
+ Fix "Use of uninitialized value in numeric eq (==)" warning
+
+
+munin-2.0.27, 2016-10-31
+
+-------
+Summary
+-------
+
+Bugfix release. For Halloween =)
+
+Closes: D:767032, D:768553, D:825136, D:834194, GH:690, GH:714
+
+------------------
+Detailed Changelog
+------------------
+
+Andreas Maus (1):
+ slapd_bdb_cache - autoconf fails when database dir is valid
+
+Holger Levsen (1):
+ munin_stats plugin: only graph munin-graph if graph_strategy=cron
+
+Kenyon Ralph (1):
+ plugins/node.d/ntp_states: fix "outlier" state spelling for recent versions of NTP
+
+Steinar H. Gunderson (1):
+ Update acpi plugin to use the /sys interface.
+
+dipohl (1):
+ Return smartctl exit code and warning message
+
+
+munin-2.0.26, 2016-09-09
+
+-------
+Summary
+-------
+
+Bugfix release.
+
+Closes: D:761190, GH:426
+
+------------------
+Detailed Changelog
+------------------
+
+Bj�rn Forsman (1):
+ multips: reject 'autoconf' unless $names is set
+
+Gabriele (1):
+ p/snmp_if: fix warning on receive
+
+Jason Woods (4):
+ Fix fofields always having the same entries as ofields. fofields now contains only entries that had a state change to OK (fo = fixed ok)
+ Fix ofields previous state detection not working correctly
+ Fix broken limits - Inheritance of warning/critical now works correctly and does not break subsequent limits - Aliased graph fields now obey limits assigned to them
+ Fix get_limit returning [undef, undef] instead of undef when no warning or critical defined
+
+Julien Pivotto (1):
+ Fix #1468: backport http_loadtime from devel
+
+Ken-ichi Mito (1):
+ fix https://github.com/munin-monitoring/munin/issues/426 (Numbers are crazy in diskstats plugin after reboot)
+
+Kenyon Ralph (1):
+ fix typo in graph_title
+
+Steve Schnepp (2):
+ p/apt_all: Be able to override /etc/apt.conf
+ p/apt_all: add some comment about default options
+
+
+
munin-2.0.25, 2014-11-24
-------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/munin-2.0.25/RELEASE new/munin-2.0.32/RELEASE
--- old/munin-2.0.25/RELEASE 2014-11-24 22:47:38.000000000 +0100
+++ new/munin-2.0.32/RELEASE 2017-03-01 20:46:24.000000000 +0100
@@ -1 +1 @@
-2.0.25
+2.0.32
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/munin-2.0.25/common/lib/Munin/Common/Config.pm new/munin-2.0.32/common/lib/Munin/Common/Config.pm
--- old/munin-2.0.25/common/lib/Munin/Common/Config.pm 2014-11-24 22:46:24.000000000 +0100
+++ new/munin-2.0.32/common/lib/Munin/Common/Config.pm 2017-03-01 20:43:49.000000000 +0100
@@ -107,6 +107,8 @@
rundir
service_order
skipdraw
+ ssh_command
+ ssh_options
stack
state
staticdir
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/munin-2.0.25/doc/node/async.rst new/munin-2.0.32/doc/node/async.rst
--- old/munin-2.0.25/doc/node/async.rst 2014-11-24 22:46:24.000000000 +0100
+++ new/munin-2.0.32/doc/node/async.rst 2017-03-01 20:43:49.000000000 +0100
@@ -46,6 +46,9 @@
You will need to create an SSH key for the "munin" user, and
distribute this to all nodes running munin-asyncd.
+The ssh command and options can be customized in :ref:`munin.conf`
+with the ssh_command and ssh_options configuration options.
+
On the munin node
-----------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/munin-2.0.25/doc/reference/munin.conf.rst new/munin-2.0.32/doc/reference/munin.conf.rst
--- old/munin-2.0.25/doc/reference/munin.conf.rst 2014-11-24 22:46:24.000000000 +0100
+++ new/munin-2.0.32/doc/reference/munin.conf.rst 2017-03-01 20:43:49.000000000 +0100
@@ -101,6 +101,37 @@
html pages you must configure a web server to run
:ref:`munin-cgi-graph` instead.
+.. option:: ssh_command <command>
+
+ The name of the secure shell command to use. Can be fully
+ qualified or looked up in $PATH.
+
+ Defaults to "ssh".
+
+.. option:: ssh_options <options>
+
+ The options for the secure shell command.
+
+ Defaults are "-o ChallengeResponseAuthentication=no -o
+ StrictHostKeyChecking=no". Please adjust this according to your
+ desired security level.
+
+ With the defaults, the master will accept and store the node ssh
+ host keys with the first connection. If a host ever changes its ssh
+ host keys, you will need to manually remove the old host key from
+ the ssh known hosts file. (with: ssh-keygen -R <node-hostname>, as
+ well as ssh-keygen -R <node-ip-address>)
+
+ You can remove "StrictHostKeyChecking=no" to increase security, but
+ you will have to manually manage the known hosts file. Do so by
+ running "ssh <node-hostname>" manually as the munin user, for each
+ node, and accept the ssh host keys.
+
+ If you would like the master to accept all node host keys, even
+ when they change, use the options "-o
+ UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o
+ PreferredAuthentications=publickey".
+
.. index::
pair: example; munin.conf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/munin-2.0.25/master/_bin/munin-cgi-graph.in new/munin-2.0.32/master/_bin/munin-cgi-graph.in
--- old/munin-2.0.25/master/_bin/munin-cgi-graph.in 2014-11-24 22:46:24.000000000 +0100
+++ new/munin-2.0.32/master/_bin/munin-cgi-graph.in 2017-03-01 20:43:49.000000000 +0100
@@ -447,14 +447,20 @@
'--output-file', $filename );
# Sets the correct size on a by_graph basis
- push @params, "--size_x", CGI::param("size_x")
- if (defined(CGI::param("size_x")));
- push @params, "--size_y", CGI::param("size_y")
- if (defined(CGI::param("size_y")));
- push @params, "--upper_limit", CGI::param("upper_limit")
- if (CGI::param("upper_limit"));
- push @params, "--lower_limit", CGI::param("lower_limit")
- if (CGI::param("lower_limit"));
+
+ # using a temporary variable to avoid expansion in list context and fix CVE-2017-6188
+ my $size_x = CGI::param("size_x");
+ push @params, "--size_x", $size_x if $size_x || ($size_x eq "0");
+
+ my $size_y = CGI::param("size_y");
+ push @params, "--size_y", $size_y if $size_y || ($size_y eq "0");
+
+ my $upper_limit = CGI::param("upper_limit");
+ push @params, "--upper_limit", $upper_limit if $upper_limit || ($upper_limit eq "0");
+
+ my $lower_limit = CGI::param("lower_limit");
+ push @params, "--lower_limit", $lower_limit if $lower_limit || ($lower_limit eq "0");
+
# Sometimes we want to set the IMG size, and not the canvas.
push @params, "--full_size_mode"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/munin-2.0.25/master/doc/munin.conf.pod.in new/munin-2.0.32/master/doc/munin.conf.pod.in
--- old/munin-2.0.25/master/doc/munin.conf.pod.in 2014-11-24 22:46:24.000000000 +0100
+++ new/munin-2.0.32/master/doc/munin.conf.pod.in 2017-03-01 20:43:49.000000000 +0100
@@ -127,6 +127,19 @@
throttle down how many rrdgraph calls will be running at the same time
to this number. Affects: munin-cgi-graph and munin-fastcgi-graph.
+=item B">
participants (1)
-
root@hilbertn.suse.de