13740 – pnp4nagios new security issues CVE-2014-4907 and CVE-2014-4908

Bug 13740 - pnp4nagios new security issues CVE-2014-4907 and CVE-2014-4908

Summary: pnp4nagios new security issues CVE-2014-4907 and CVE-2014-4908

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/605370/
Whiteboard:	advisory mga4-32-ok mga4-64-ok
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-07-14 21:33 CEST by David Walser
Modified:	2015-05-11 22:11 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	pnp4nagios-0.6.21-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-07-14 21:33:43 CEST

Fedora has issued an advisory on July 5:
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135371.html

They updated to 0.6.22 to fix CVE-2014-4907 and added 2 patches for CVE-2014-4908:
http://pkgs.fedoraproject.org/cgit/pnp4nagios.git/commit/?id=130e25c7c96e22d106edb62fb6d912a41f96d53e

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-07-14 21:33:52 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Sander Lepik 2014-11-29 15:43:23 CET

It's actually dropped from cauldron.

CC: (none) => mageia
Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 2 Nicolas Lécureuil 2015-05-11 09:42:33 CEST

fixes pushed in mga4 core/udates_testing

CC: (none) => mageia

Comment 3 David Walser 2015-05-11 14:07:23 CEST

It still needs to be updated to 0.6.22.

Comment 4 David Walser 2015-05-11 14:32:19 CEST

Updated package uploaded for Mageia 4.  Thanks Nicolas!

Advisory:
========================

Updated pnp4nagios package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in
share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22
allows remote attackers to inject arbitrary web script or HTML via a parameter
that is not properly handled in an error message (CVE-2014-4907).

Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through
0.6.22 allow remote attackers to inject arbitrary web script or HTML via the
URI used for reaching share/pnp/application/views/kohana_error_page.php or
share/pnp/application/views/template.php, leading to improper handling within
an http-equiv="refresh" META element (CVE-2014-4908).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4908
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135371.html
========================

Updated packages in core/updates_testing:
========================
pnp4nagios-0.6.25-1.1.mga4

from pnp4nagios-0.6.25-1.1.mga4.src.rpm

CC: (none) => alien
Assignee: alien => qa-bugs

Comment 5 claire robinson 2015-05-11 15:23:10 CEST

Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

Comment 6 claire robinson 2015-05-11 17:44:03 CEST

Advisory uploaded.

Whiteboard: mga4-32-ok => advisory mga4-32-ok

Comment 7 claire robinson 2015-05-11 19:38:14 CEST

Testing complete mga4 64

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-11 22:11:28 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0203.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.