Bug 13197 - nagios new security issue CVE-2014-1878
: nagios new security issue CVE-2014-1878
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/594740/
: MGA3TOO has_procedure advisory mga4-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-04-11 18:02 CEST by David Walser
Modified: 2014-04-23 18:17 CEST (History)
4 users (show)

See Also:
Source RPM: nagios-4.0.2-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-04-11 18:02:09 CEST
OpenSuSE has issued an advisory today (April 11):
http://lists.opensuse.org/opensuse-updates/2014-04/msg00033.html

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-04-22 00:07:26 CEST
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated nagios packages fix security vulnerability:

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios
Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5,
and 1.10 before 1.10.3 allows remote attackers to cause a denial of service
(segmentation fault) via a long message to cmd.cgi (CVE-2014-1878).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1878
http://lists.opensuse.org/opensuse-updates/2014-04/msg00033.html
========================

Updated packages in core/updates_testing:
========================
nagios-3.4.4-4.3.mga3
nagios-www-3.4.4-4.3.mga3
nagios-devel-3.4.4-4.3.mga3
nagios-4.0.2-1.1.mga4
nagios-www-4.0.2-1.1.mga4
nagios-devel-4.0.2-1.1.mga4

from SRPMS:
nagios-3.4.4-4.3.mga3.src.rpm
nagios-4.0.2-1.1.mga4.src.rpm
Comment 2 Shlomi Fish 2014-04-22 14:56:23 CEST
Isn't there a procedure here: https://bugs.mageia.org/show_bug.cgi?id=8799 ?
Comment 3 Shlomi Fish 2014-04-22 15:27:42 CEST
OK, what I did was:

* Disabled updates_testing.

* Installed task-nagios. (urpmi task-nagios)

* "service nagios start".

* Browse to http://localhost/nagios/

* Check the Tactical Overview 

* Check the Reports -> Availability.

* Enable the updates_testing repository.

* "urpmi nagios nagios-www nagios-devel".

* "service nagios stop".

* "service nagios start".

* Check the http://localhost/nagios/ links again.

Is this OK? I tested it on both MGA4-32 and MGA4-64 and everything worked in both cases.

Regards,

-- Shlomi Fish
Comment 4 claire robinson 2014-04-22 16:05:47 CEST
That'll do then Shlomi yes, thanks. You can configure a user and log in but it's not very user friendly. See bug 8799 comment 9 for more info.
Comment 5 Shlomi Fish 2014-04-22 17:26:03 CEST
(In reply to claire robinson from comment #4)
> That'll do then Shlomi yes, thanks. You can configure a user and log in but
> it's not very user friendly. See bug 8799 comment 9 for more info.

Thanks. Now I checked it on MGA3-32 and MGA3-64 and it's OK there as well.

Regards,

-- Shlomi Fish
Comment 6 Shlomi Fish 2014-04-22 17:26:41 CEST
Adding the keywords.
Comment 7 claire robinson 2014-04-22 17:34:27 CEST
Thanks Shlomi.

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 8 Thomas Backlund 2014-04-23 18:17:54 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0186.html

Note You need to log in before you can comment on or make changes to this bug.