Bug 13197 - nagios new security issue CVE-2014-1878
Summary: nagios new security issue CVE-2014-1878
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/594740/
Whiteboard: MGA3TOO has_procedure advisory mga4-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-11 18:02 CEST by David Walser
Modified: 2014-04-23 18:17 CEST (History)
4 users (show)

See Also:
Source RPM: nagios-4.0.2-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-11 18:02:09 CEST
OpenSuSE has issued an advisory today (April 11):
http://lists.opensuse.org/opensuse-updates/2014-04/msg00033.html

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-11 18:02:15 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

David Walser 2014-04-14 17:40:42 CEST

URL: (none) => http://lwn.net/Vulnerabilities/594740/

Comment 1 David Walser 2014-04-22 00:07:26 CEST
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated nagios packages fix security vulnerability:

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios
Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5,
and 1.10 before 1.10.3 allows remote attackers to cause a denial of service
(segmentation fault) via a long message to cmd.cgi (CVE-2014-1878).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1878
http://lists.opensuse.org/opensuse-updates/2014-04/msg00033.html
========================

Updated packages in core/updates_testing:
========================
nagios-3.4.4-4.3.mga3
nagios-www-3.4.4-4.3.mga3
nagios-devel-3.4.4-4.3.mga3
nagios-4.0.2-1.1.mga4
nagios-www-4.0.2-1.1.mga4
nagios-devel-4.0.2-1.1.mga4

from SRPMS:
nagios-3.4.4-4.3.mga3.src.rpm
nagios-4.0.2-1.1.mga4.src.rpm

CC: (none) => guillomovitch
Version: Cauldron => 4
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 Shlomi Fish 2014-04-22 14:56:23 CEST
Isn't there a procedure here: https://bugs.mageia.org/show_bug.cgi?id=8799 ?

CC: (none) => shlomif

Comment 3 Shlomi Fish 2014-04-22 15:27:42 CEST
OK, what I did was:

* Disabled updates_testing.

* Installed task-nagios. (urpmi task-nagios)

* "service nagios start".

* Browse to http://localhost/nagios/

* Check the Tactical Overview 

* Check the Reports -> Availability.

* Enable the updates_testing repository.

* "urpmi nagios nagios-www nagios-devel".

* "service nagios stop".

* "service nagios start".

* Check the http://localhost/nagios/ links again.

Is this OK? I tested it on both MGA4-32 and MGA4-64 and everything worked in both cases.

Regards,

-- Shlomi Fish
Comment 4 claire robinson 2014-04-22 16:05:47 CEST
That'll do then Shlomi yes, thanks. You can configure a user and log in but it's not very user friendly. See bug 8799 comment 9 for more info.

Whiteboard: MGA3TOO => MGA3TOO mga4-32-ok mga4-64-ok

claire robinson 2014-04-22 16:42:51 CEST

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 5 Shlomi Fish 2014-04-22 17:26:03 CEST
(In reply to claire robinson from comment #4)
> That'll do then Shlomi yes, thanks. You can configure a user and log in but
> it's not very user friendly. See bug 8799 comment 9 for more info.

Thanks. Now I checked it on MGA3-32 and MGA3-64 and it's OK there as well.

Regards,

-- Shlomi Fish
Comment 6 Shlomi Fish 2014-04-22 17:26:41 CEST
Adding the keywords.

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok

Comment 7 claire robinson 2014-04-22 17:34:27 CEST
Thanks Shlomi.

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-04-23 18:17:54 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0186.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.