Security update for monit SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2877-1 Final 1 1 2016-11-22T13:51:24Z current 2016-11-22T13:51:24Z 2016-11-22T13:51:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for monit This update for monit fixes the following issues: - CVE-2016-7067: A malicious attacker could have used a cross-site request forgery vulnerability to trick an authenticated user to perform monit actions. Monit was updated to 5.20, containing all upstream improvements and bug fixes. The following tracked packaging bugs were fixed: - disable sslv3 according to RFC7568 (boo#974763) - fixed pid file directory (boo#971647) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-11/msg00097.html E-Mail link for openSUSE-SU-2016:2877-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 monit-5.20.0-13.1 monit-doc-5.20.0-13.1 monit-5.20.0-13.1 as a component of openSUSE Leap 42.1 monit-doc-5.20.0-13.1 as a component of openSUSE Leap 42.1 monit-5.20.0-13.1 as a component of openSUSE Leap 42.2 monit-doc-5.20.0-13.1 as a component of openSUSE Leap 42.2 The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. CVE-2014-3566 openSUSE Leap 42.1:monit-5.20.0-13.1 openSUSE Leap 42.1:monit-doc-5.20.0-13.1 openSUSE Leap 42.2:monit-5.20.0-13.1 openSUSE Leap 42.2:monit-doc-5.20.0-13.1 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00097.html https://www.suse.com/security/cve/CVE-2014-3566.html CVE-2014-3566 https://bugzilla.suse.com/1011293 SUSE Bug 1011293 https://bugzilla.suse.com/1031023 SUSE Bug 1031023 https://bugzilla.suse.com/901223 SUSE Bug 901223 https://bugzilla.suse.com/901254 SUSE Bug 901254 https://bugzilla.suse.com/901277 SUSE Bug 901277 https://bugzilla.suse.com/901748 SUSE Bug 901748 https://bugzilla.suse.com/901757 SUSE Bug 901757 https://bugzilla.suse.com/901759 SUSE Bug 901759 https://bugzilla.suse.com/901889 SUSE Bug 901889 https://bugzilla.suse.com/901968 SUSE Bug 901968 https://bugzilla.suse.com/902229 SUSE Bug 902229 https://bugzilla.suse.com/902476 SUSE Bug 902476 https://bugzilla.suse.com/902912 SUSE Bug 902912 https://bugzilla.suse.com/903405 SUSE Bug 903405 https://bugzilla.suse.com/903684 SUSE Bug 903684 https://bugzilla.suse.com/903690 SUSE Bug 903690 https://bugzilla.suse.com/903692 SUSE Bug 903692 https://bugzilla.suse.com/904889 SUSE Bug 904889 https://bugzilla.suse.com/905106 SUSE Bug 905106 https://bugzilla.suse.com/914041 SUSE Bug 914041 Monit before version 5.20.0 is vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host or disable/enable monitoring for a specific service. CVE-2016-7067 openSUSE Leap 42.1:monit-5.20.0-13.1 openSUSE Leap 42.1:monit-doc-5.20.0-13.1 openSUSE Leap 42.2:monit-5.20.0-13.1 openSUSE Leap 42.2:monit-doc-5.20.0-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00097.html https://www.suse.com/security/cve/CVE-2016-7067.html CVE-2016-7067 https://bugzilla.suse.com/1007455 SUSE Bug 1007455