Bug 13740

Summary: pnp4nagios new security issues CVE-2014-4907 and CVE-2014-4908
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: alien, mageia, mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/605370/
Whiteboard: advisory mga4-32-ok mga4-64-ok
Source RPM: pnp4nagios-0.6.21-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-07-14 21:33:43 CEST 
Fedora has issued an advisory on July 5:
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135371.html

They updated to 0.6.22 to fix CVE-2014-4907 and added 2 patches for CVE-2014-4908:
http://pkgs.fedoraproject.org/cgit/pnp4nagios.git/commit/?id=130e25c7c96e22d106edb62fb6d912a41f96d53e

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-14 21:33:52 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Sander Lepik 2014-11-29 15:43:23 CET 
It's actually dropped from cauldron.

CC: (none) => mageia
Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 2 Nicolas Lécureuil 2015-05-11 09:42:33 CEST 
fixes pushed in mga4 core/udates_testing

CC: (none) => mageia

Comment 3 David Walser 2015-05-11 14:07:23 CEST 
It still needs to be updated to 0.6.22.
Comment 4 David Walser 2015-05-11 14:32:19 CEST 
Updated package uploaded for Mageia 4.  Thanks Nicolas!

Advisory:
========================

Updated pnp4nagios package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in
share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22
allows remote attackers to inject arbitrary web script or HTML via a parameter
that is not properly handled in an error message (CVE-2014-4907).

Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through
0.6.22 allow remote attackers to inject arbitrary web script or HTML via the
URI used for reaching share/pnp/application/views/kohana_error_page.php or
share/pnp/application/views/template.php, leading to improper handling within
an http-equiv="refresh" META element (CVE-2014-4908).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4908
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135371.html
========================

Updated packages in core/updates_testing:
========================
pnp4nagios-0.6.25-1.1.mga4

from pnp4nagios-0.6.25-1.1.mga4.src.rpm

CC: (none) => alien
Assignee: alien => qa-bugs

Comment 5 claire robinson 2015-05-11 15:23:10 CEST 
Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

Comment 6 claire robinson 2015-05-11 17:44:03 CEST 
Advisory uploaded.

Whiteboard: mga4-32-ok => advisory mga4-32-ok

Comment 7 claire robinson 2015-05-11 19:38:14 CEST 
Testing complete mga4 64

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-11 22:11:28 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0203.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED