A security issue was fixed upstream in Nagios (not sure which version): https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7108 http://openwall.com/lists/oss-security/2013/12/23/4 Reproducible: Steps to Reproduce:
Blocks: (none) => 11726Whiteboard: (none) => MGA3TOO
An additional CVE was assigned: http://openwall.com/lists/oss-security/2013/12/24/1
Summary: nagios new security issue CVE-2013-7108 => nagios new security issue CVE-2013-7108 / CVE-2013-7205
I fixed the cauldron package, and I just submitted 3.4.4-4.1.mga3 to updates_testing. I suggest to reuse redhat's advisory: A flaw was reported [1] and fixed [2] in Nagios, which can be exploited to cause a denial of service. This vulnerability is caused due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI. [1] https://secunia.com/advisories/55976/ [2] http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
Assignee: guillomovitch => qa-bugs
Thanks Guillaume. What about the issues in Bug 11706?
CC: (none) => guillomovitch
Just in case anyone's wondering about my previous comment, the other bug was closed as WONTFIX as those issues don't really affect our package. Freeze push request for Cauldron is still pending. Advisory: ======================== Updated nagios packages fix security vulnerability: A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service. This vulnerability is caused due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI (CVE-2013-7108, CVE-2013-7205). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7205 https://secunia.com/advisories/55976/ http://openwall.com/lists/oss-security/2013/12/24/1 https://bugzilla.redhat.com/show_bug.cgi?id=1046113 ======================== Updated packages in core/updates_testing: ======================== nagios-3.4.4-4.1.mga3 nagios-devel-3.4.4-4.1.mga3 nagios-www-3.4.4-4.1.mga3 from nagios-3.4.4-4.1.mga3.src.rpm
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
nagios-4.0.2-1.mga4 uploaded for Cauldron.
Blocks: 11726 => (none)
Fails to start. From /var/log/nagios/nagios.log [1388957574] Failed to obtain lock on file /run/nagios/nagios.pid: No such file or directory [1388957574] Bailing out due to errors encountered while attempting to daemonize... (PID=18121)
Whiteboard: advisory => advisory feedback
OpenSuSE has issued an advisory for this on January 3: http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
URL: (none) => http://lwn.net/Vulnerabilities/579352/
nagios-3.4.4-4.2.mga3, in updates_testing, should fix the issue of /run/nagios not created immediatly after installation.
Thanks Guillaume! Dave, you can add a note to the advisory for this if you'd like (along with updating the package subrel). Something like "An issue that prevented the service from starting has also been fixed."
Whiteboard: advisory feedback => (none)
Advisory updated. Testing shortly.
Whiteboard: (none) => advisory
Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 12100.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0010.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN reference for CVE-2013-7205: http://lwn.net/Vulnerabilities/580996/