Bug 22049

Summary: nagios new security issues CVE-2016-6209, CVE-2017-12847, CVE-2017-14312, rhbz#1376658
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: nagios-4.3.1-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-11-17 17:20:33 CET 
Fedora has issued an advisory on November 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYI2Q2GXM5Z4DQCQSU2GUHC6AUDK7HK3/

The two CVEs I didn't mention, we already previously fixed.

These issue appear to have been fixed upstream in the following versions:
CVE-2017-14312 4.3.4
CVE-2017-12847 4.3.3
CVE-2016-6209 4.3.0
https://bugzilla.redhat.com/show_bug.cgi?id=1376658 4.2.0

So the last two issues in that list only affect Mageia 5.

CVE-2016-6209 was the hardest to track down, here's a reference for that:
https://github.com/NagiosEnterprises/nagioscore/issues/297
David Walser 2017-11-17 17:20:41 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Guillaume Rousse 2017-11-19 15:42:25 CET 
I just submitted nagios-4.3.1-2.1.mga6 in updates_testing for mageia 6, fixing CVE-2017-12847, and a minor log flooding issue. CVE-2017-14312 doesn't apply, as /usr/sbin/nagios and /etc/nagios/nagios.cfg are owned by root user. And CVE-2016-6209 is already fixed, as we're shipping nagios 4.3.1.

Regarding mageia 5, this package doesn't qualify as a "component found in most systems" IMHO, and doesn't justify an update.

Status: NEW => ASSIGNED
Assignee: guillomovitch => qa-bugs

Comment 2 David Walser 2017-11-19 16:44:34 CET 
Advisory:
========================

Updated nagios packages fix security vulnerability:

It was found that nagios daemon creates its PID file after dropping privileges,
which allows to change its content by non-root user with PID of any other
process, resulting into denial-of-service when daemon is stopped
(CVE-2017-12847).

Note that the nagios package on Mageia 5 is no longer supported.  Users of this
package should upgrade to Mageia 6.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12847
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYI2Q2GXM5Z4DQCQSU2GUHC6AUDK7HK3/
========================

Updated packages in core/updates_testing:
========================
nagios-4.3.1-2.1.mga6
nagios-www-4.3.1-2.1.mga6
nagios-devel-4.3.1-2.1.mga6

from nagios-4.3.1-2.1.mga6.src.rpm

Whiteboard: MGA5TOO => (none)

Comment 3 Lewis Smith 2017-11-30 10:39:36 CET 
Some past pointers:
 https://bugs.mageia.org/show_bug.cgi?id=8799#c9
 https://bugs.mageia.org/show_bug.cgi?id=13197#c3
which I will try.

CC: (none) => lewyssmith

Comment 4 Dave Hodgins 2017-11-30 19:56:55 CET 
Lewis, we have https://wiki.mageia.org/en/QA_procedure:Nagios

I started testing before I saw your comment.

Before the update ...
$ ll /run/nagios/nagios.pid 
-rw-r--r-- 1 nagios nagios 5 Nov 30 13:47 /run/nagios/nagios.pid

This should only be a problem if the service is hacked to alter the pid file.

After the update ...
$ ll /run/nagios/nagios.pid 
-rw-r--r-- 1 root root 5 Nov 30 13:32 /run/nagios/nagios.pid

Also the nagios service works after the update, on both arches.

I'll upload the advisory shortly.

Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2017-11-30 20:02:08 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2017-12-02 00:14:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0437.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED