Fedora has issued an advisory on July 5: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135371.html They updated to 0.6.22 to fix CVE-2014-4907 and added 2 patches for CVE-2014-4908: http://pkgs.fedoraproject.org/cgit/pnp4nagios.git/commit/?id=130e25c7c96e22d106edb62fb6d912a41f96d53e Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
It's actually dropped from cauldron.
CC: (none) => mageiaVersion: Cauldron => 4Whiteboard: MGA4TOO => (none)
fixes pushed in mga4 core/udates_testing
CC: (none) => mageia
It still needs to be updated to 0.6.22.
Updated package uploaded for Mageia 4. Thanks Nicolas! Advisory: ======================== Updated pnp4nagios package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message (CVE-2014-4907). Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching share/pnp/application/views/kohana_error_page.php or share/pnp/application/views/template.php, leading to improper handling within an http-equiv="refresh" META element (CVE-2014-4908). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4908 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135371.html ======================== Updated packages in core/updates_testing: ======================== pnp4nagios-0.6.25-1.1.mga4 from pnp4nagios-0.6.25-1.1.mga4.src.rpm
CC: (none) => alienAssignee: alien => qa-bugs
Testing complete mga4 32 Just ensuring it updates cleanly during mga5 final release cycle.
Whiteboard: (none) => mga4-32-ok
Advisory uploaded.
Whiteboard: mga4-32-ok => advisory mga4-32-ok
Testing complete mga4 64 Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: advisory mga4-32-ok => advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0203.html
Status: NEW => RESOLVEDResolution: (none) => FIXED