Fedora has issued an advisory on November 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYI2Q2GXM5Z4DQCQSU2GUHC6AUDK7HK3/ The two CVEs I didn't mention, we already previously fixed. These issue appear to have been fixed upstream in the following versions: CVE-2017-14312 4.3.4 CVE-2017-12847 4.3.3 CVE-2016-6209 4.3.0 https://bugzilla.redhat.com/show_bug.cgi?id=1376658 4.2.0 So the last two issues in that list only affect Mageia 5. CVE-2016-6209 was the hardest to track down, here's a reference for that: https://github.com/NagiosEnterprises/nagioscore/issues/297
Whiteboard: (none) => MGA5TOO
I just submitted nagios-4.3.1-2.1.mga6 in updates_testing for mageia 6, fixing CVE-2017-12847, and a minor log flooding issue. CVE-2017-14312 doesn't apply, as /usr/sbin/nagios and /etc/nagios/nagios.cfg are owned by root user. And CVE-2016-6209 is already fixed, as we're shipping nagios 4.3.1. Regarding mageia 5, this package doesn't qualify as a "component found in most systems" IMHO, and doesn't justify an update.
Status: NEW => ASSIGNEDAssignee: guillomovitch => qa-bugs
Advisory: ======================== Updated nagios packages fix security vulnerability: It was found that nagios daemon creates its PID file after dropping privileges, which allows to change its content by non-root user with PID of any other process, resulting into denial-of-service when daemon is stopped (CVE-2017-12847). Note that the nagios package on Mageia 5 is no longer supported. Users of this package should upgrade to Mageia 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12847 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYI2Q2GXM5Z4DQCQSU2GUHC6AUDK7HK3/ ======================== Updated packages in core/updates_testing: ======================== nagios-4.3.1-2.1.mga6 nagios-www-4.3.1-2.1.mga6 nagios-devel-4.3.1-2.1.mga6 from nagios-4.3.1-2.1.mga6.src.rpm
Whiteboard: MGA5TOO => (none)
Some past pointers: https://bugs.mageia.org/show_bug.cgi?id=8799#c9 https://bugs.mageia.org/show_bug.cgi?id=13197#c3 which I will try.
CC: (none) => lewyssmith
Lewis, we have https://wiki.mageia.org/en/QA_procedure:Nagios I started testing before I saw your comment. Before the update ... $ ll /run/nagios/nagios.pid -rw-r--r-- 1 nagios nagios 5 Nov 30 13:47 /run/nagios/nagios.pid This should only be a problem if the service is hacked to alter the pid file. After the update ... $ ll /run/nagios/nagios.pid -rw-r--r-- 1 root root 5 Nov 30 13:32 /run/nagios/nagios.pid Also the nagios service works after the update, on both arches. I'll upload the advisory shortly.
Whiteboard: (none) => MGA6-64-OK MGA6-32-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0437.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED