Bug 22049 - nagios new security issues CVE-2016-6209, CVE-2017-12847, CVE-2017-14312, rhbz#1376658
Summary: nagios new security issues CVE-2016-6209, CVE-2017-12847, CVE-2017-14312, rhb...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-17 17:20 CET by David Walser
Modified: 2017-12-02 00:14 CET (History)
3 users (show)

See Also:
Source RPM: nagios-4.3.1-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-11-17 17:20:33 CET
Fedora has issued an advisory on November 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYI2Q2GXM5Z4DQCQSU2GUHC6AUDK7HK3/

The two CVEs I didn't mention, we already previously fixed.

These issue appear to have been fixed upstream in the following versions:
CVE-2017-14312 4.3.4
CVE-2017-12847 4.3.3
CVE-2016-6209 4.3.0
https://bugzilla.redhat.com/show_bug.cgi?id=1376658 4.2.0

So the last two issues in that list only affect Mageia 5.

CVE-2016-6209 was the hardest to track down, here's a reference for that:
https://github.com/NagiosEnterprises/nagioscore/issues/297
David Walser 2017-11-17 17:20:41 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Guillaume Rousse 2017-11-19 15:42:25 CET
I just submitted nagios-4.3.1-2.1.mga6 in updates_testing for mageia 6, fixing CVE-2017-12847, and a minor log flooding issue. CVE-2017-14312 doesn't apply, as /usr/sbin/nagios and /etc/nagios/nagios.cfg are owned by root user. And CVE-2016-6209 is already fixed, as we're shipping nagios 4.3.1.

Regarding mageia 5, this package doesn't qualify as a "component found in most systems" IMHO, and doesn't justify an update.

Status: NEW => ASSIGNED
Assignee: guillomovitch => qa-bugs

Comment 2 David Walser 2017-11-19 16:44:34 CET
Advisory:
========================

Updated nagios packages fix security vulnerability:

It was found that nagios daemon creates its PID file after dropping privileges,
which allows to change its content by non-root user with PID of any other
process, resulting into denial-of-service when daemon is stopped
(CVE-2017-12847).

Note that the nagios package on Mageia 5 is no longer supported.  Users of this
package should upgrade to Mageia 6.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12847
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYI2Q2GXM5Z4DQCQSU2GUHC6AUDK7HK3/
========================

Updated packages in core/updates_testing:
========================
nagios-4.3.1-2.1.mga6
nagios-www-4.3.1-2.1.mga6
nagios-devel-4.3.1-2.1.mga6

from nagios-4.3.1-2.1.mga6.src.rpm

Whiteboard: MGA5TOO => (none)

Comment 3 Lewis Smith 2017-11-30 10:39:36 CET
Some past pointers:
 https://bugs.mageia.org/show_bug.cgi?id=8799#c9
 https://bugs.mageia.org/show_bug.cgi?id=13197#c3
which I will try.

CC: (none) => lewyssmith

Comment 4 Dave Hodgins 2017-11-30 19:56:55 CET
Lewis, we have https://wiki.mageia.org/en/QA_procedure:Nagios

I started testing before I saw your comment.

Before the update ...
$ ll /run/nagios/nagios.pid 
-rw-r--r-- 1 nagios nagios 5 Nov 30 13:47 /run/nagios/nagios.pid

This should only be a problem if the service is hacked to alter the pid file.

After the update ...
$ ll /run/nagios/nagios.pid 
-rw-r--r-- 1 root root 5 Nov 30 13:32 /run/nagios/nagios.pid

Also the nagios service works after the update, on both arches.

I'll upload the advisory shortly.

Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2017-11-30 20:02:08 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2017-12-02 00:14:22 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0437.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.