Maintainer of sysutils/ganglia-webfrontend, A security issue has been reported against this port. References: http://seclists.org/oss-sec/2015/q3/494 "It's easy to bypass auth by using boolean serialization like this: $ php -r "echo urlencode(serialize(array('user'=>'admin', 'group'=>'admin', 'token'=>true))); // Found by d90.andrew // Exploit: curl -H 'Cookie: a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D'" http://seclists.org/oss-sec/2015/q3/502 "Use CVE-2015-6816." https://github.com/ganglia/ganglia-web/issues/267
Take for follow on after initial report to maintainer. Note that there isn't an upstream fix for this just yet.
I'll try pinging some of the authors to see if there is an ETA for a fix.
It looks like the issue in the Github issue tracker has been quiet. Have you heard any updates?
My queries went unanswered. I'll post a comment on the issue tracker. Assuming we don't hear back, how should we proceed? I'm not much of a webdev, but I can try making a patch using the description in the issue comments. Maybe the consequences of breaking Ganglia's login isn't so severe, but I'm concerned leaving this as is much longer.
(In reply to Joseph Mingrone from comment #4) Basically it's an "it depends". It's always going to be best to have a consensus on a fix with upstream. If needed we can backport/test a fix. Alternately we can explore what other downstream users and work out a solution that way (i.e. start with poking around Red Hat or Debian bug trackers).
Created attachment 161653 [details] svn diff to upgrade to 3.7.1
Created attachment 161654 [details] poudriere testport output
A commit references this bug: Author: junovitch Date: Fri Oct 2 21:54:56 UTC 2015 New revision: 398450 URL: https://svnweb.freebsd.org/changeset/ports/398450 Log: sysutils/ganglia-webfrontend: security update 3.7.0 -> 3.7.1 PR: 202940 Submitted by: Joseph Mingrone <jrm@ftfl.ca> (maintainer) Security: d68df01b-564e-11e5-9ad8-14dae9d210b8 Security: CVE-2015-6816 MFH: 2015Q4 Changes: head/sysutils/ganglia-webfrontend/Makefile head/sysutils/ganglia-webfrontend/distinfo head/sysutils/ganglia-webfrontend/pkg-plist
A commit references this bug: Author: junovitch Date: Fri Oct 2 22:16:45 UTC 2015 New revision: 398451 URL: https://svnweb.freebsd.org/changeset/ports/398451 Log: MFH: r398450 sysutils/ganglia-webfrontend: security update 3.7.0 -> 3.7.1 PR: 202940 Submitted by: Joseph Mingrone <jrm@ftfl.ca> (maintainer) Approved by: portmgr (erwin) Security: d68df01b-564e-11e5-9ad8-14dae9d210b8 Security: CVE-2015-6816 Changes: _U branches/2015Q4/ branches/2015Q4/sysutils/ganglia-webfrontend/Makefile branches/2015Q4/sysutils/ganglia-webfrontend/distinfo branches/2015Q4/sysutils/ganglia-webfrontend/pkg-plist
(In reply to Joseph Mingrone from comment #6) Joseph, Thanks for working this! Patch committed as is and MFH'd to quarterly. VuXML was already committed when this was first announced so all work on this PR is done and I am closing it now.