Description of problem: Several XSS vulnerabilities with nagios Version-Release number of selected component (if applicable): nagios-3.2.3-2.mga1.src.rpm How reproducible: N/A Refs (should be able to get patches from one of the links off these pages): http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1523 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2179 Possible update text: Several cross-site scripting (XSS) vulnerabilities have been identified in nagios. Issues with both config.cgi and statusmap.cgi allowed remote attackers to inject arbitrary web script or HTML. These issues have been identified at mitre.org by CVE-2011-1523 and CVE-2011-2179. Updated packages correct these issues.
no interest in this, closing
Status: NEW => RESOLVEDResolution: (none) => OLD
I understand your frustration in the lack of follow up given to reported security problems, but I think closing security bugs which have not been solved is not the right way to go. Let's try to keep those issues on the radar at least.
Keywords: (none) => SecurityStatus: RESOLVED => REOPENEDCC: (none) => remcoResolution: OLD => (none)
Whose radar are they supposedly on? They've sat a NEW for 2 months. Our release cycle in only 9. If the users and packagers are only interested in new stuff, then lets not pretend we have a support policy and just be a rolling release.
Your radar, our radar. Perhaps it is not given enough priority currently, but that is more a matter of lack of manpower than anything else. Closing unfixed (security) bugs will not make things any better for us or our users though. Through better triaging (again, as time permits) we can hopefully better identify the security related issues and perhaps even post periodic updates on the subject on the devs list. We know it's not perfect, far from it even, but let's take steps towards improving the situation, even if they are baby steps.
CC: (none) => guillomovitch
Created attachment 744 [details] upstream patch I had to do the work myself for mandriva 2010.0. Here is the upstream patch fixing the issue.
Keywords: (none) => PATCH
Guillaume will you add the patch or do you want me to do it ?
CC: (none) => dmorganec
Assigning to Dmorgan as Guillaume replied to his comment 6 on irc :)
Status: REOPENED => ASSIGNEDCC: (none) => stormiAssignee: bugsquad => dmorganec
Ping ?
Patched release 3.2.3-2.1 available in updates_testing, untested.
Ok thanks. As we don't really have a 'security team' I assign this bug to the QA.
Assignee: dmorganec => qa-bugs
Created attachment 1040 [details] example CVE-2011-2179 exploit URL's from securityfocus
To check this you need to install nagios and nagios-www too to get the web interface. Disable authentication in /etc/nagios/cgi.cfg or configure it if you dont want to disable it. Then 'service nagios start' You can see the web interface at localhost/nagios and using either of the URL's in the attachment will show the problem. The first brings up a box with XSS in it and the second does the same with 666 in it. Confirmed the problem x86_64 and confirmed fix after update. Instead of opening the box it shows an error in red eg. Error:No command "<script>alert(String.fromCharCode(88,83,83))</script>" found Testing complete x86_64 SRPM: nagios-3.2.3-2.1.mga1.src.rpm
Testing complete on i586. Thanks Claire for the procedure. Could someone from the sysadmin team push the srpm nagios-3.2.3-2.1.mga1.src.rpm from Core Updates Testing to Core Updates Advisory: Several cross-site scripting (XSS) vulnerabilities have been identified in nagios. Issues with both config.cgi and statusmap.cgi allowed remote attackers to inject arbitrary web script or HTML. These issues have been identified at mitre.org by CVE-2011-1523 and CVE-2011-2179. This security update corrects these issues https://bugs.mageia.org/show_bug.cgi?id=1948
CC: (none) => davidwhodgins
Sysadmin please push, see comment 13 for details. Thankyou.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED