ALAS-2012-130

Amazon Linux 1 Security Advisory: ALAS-2012-130
Advisory Release Date: 2012-10-08 10:39 Pacific
Advisory Updated Date: 2014-09-14 17:07 Pacific

Severity: Medium

References: CVE-2012-3512
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin.

Affected Packages:

munin

Issue Correction:
Run yum update munin to update your system.

New Packages:

noarch:
    munin-common-2.0.6-2.9.amzn1.noarch
    munin-async-2.0.6-2.9.amzn1.noarch
    munin-2.0.6-2.9.amzn1.noarch
    munin-node-2.0.6-2.9.amzn1.noarch
    munin-java-plugins-2.0.6-2.9.amzn1.noarch

src:
    munin-2.0.6-2.9.amzn1.src

Additional References

Red Hat: CVE-2012-3512

Mitre: CVE-2012-3512