Fedora has issued an advisory on March 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/ The issue is fixed upstream in 4.4.6.
Status comment: (none) => Fixed upstream in 4.4.6
M8 already has nagios-4.4.6-2.mga8.src.rpm. Seems best to assign this to Guillaume, its maintainer.
Assignee: bugsquad => guillomovitch
Mid-air collision ;)
CC: (none) => ouaurelien
fixed in mga7: src: - nagios-4.4.3-2.1.mga7
Status comment: Fixed upstream in 4.4.6 => (none)CC: (none) => mageiaAssignee: guillomovitch => qa-bugs
Advisory: ======================== Updated nagios packages fix security vulnerability: Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files (CVE-2020-13977). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13977 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/ ======================== Updated packages in core/updates_testing: ======================== nagios-4.4.3-2.1.mga7 nagios-www-4.4.3-2.1.mga7 nagios-devel-4.4.3-2.1.mga7 from nagios-4.4.3-2.1.mga7.src.rpm
Installed and tested. Some configuration changes were needed to get it working. I'm not giving it an OK and will let the packager decide if this is OK as is or if the configurations needs to be changed. System: Mageia 7, x86_64, Intel CPU. Install and setup procedure: Step 1 - Installed packages nagios, nagios-www and all dependencies. Step 2 - Change the configuration file "/etc/httpd/conf/sites.d/nagios.conf" to get HTTP authentication working. Changed file is next. ######################################################### # Nagios Apache configuration ScriptAlias /nagios/cgi-bin /usr/lib64/nagios/cgi <Directory /usr/lib64/nagios/cgi> Options ExecCGI AuthType Basic AuthName "Restricted Content" AuthBasicProvider file AuthUserFile /etc/nagios/htpasswd Require valid-user </Directory> Alias /nagios /usr/share/nagios/www <Directory /usr/share/nagios> AuthType Basic AuthName "Restricted Content" AuthBasicProvider file AuthUserFile /etc/nagios/htpasswd Require valid-user </Directory> ######################################################### Step 2 alternative - Disable nagios authentication but I strongly recommend against this. To disable authentication, change "use_authentication=1" to "use_authentication=0" in the file /etc/nagios/cgi.cfg. Step 3 - Set http authentication password. $ htpasswd /etc/nagios/htpasswd nagiosadmin New password: Re-type new password: Step 4 - Start httpd and nagios services. $ systemctl start httpd nagios Step 5 - Open in a browser the URL https://example.com/nagios/ $ uname -a Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep nagios | sort nagios-4.4.3-2.1.mga7 nagios-check_disk-2.2.1-4.mga7 nagios-check_http-2.2.1-4.mga7 nagios-check_load-2.2.1-4.mga7 nagios-check_ping-2.2.1-4.mga7 nagios-check_procs-2.2.1-4.mga7 nagios-check_ssh-2.2.1-4.mga7 nagios-check_swap-2.2.1-4.mga7 nagios-check_users-2.2.1-4.mga7 nagios-plugins-2.2.1-4.mga7 nagios-www-4.4.3-2.1.mga7 $ systemctl status nagios ● nagios.service - Nagios network monitor Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-04-09 13:41:27 WEST; 27min ago Process: 29681 ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS) Main PID: 29682 (nagios) Tasks: 8 (limit: 4668) Memory: 16.2M CGroup: /system.slice/nagios.service ├─29682 /usr/sbin/nagios -d /etc/nagios/nagios.cfg ├─29683 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─29684 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─29685 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─29686 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─29687 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─29688 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh └─29691 /usr/sbin/nagios -d /etc/nagios/nagios.cfg abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29683;pid=29683 abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29686;pid=29686 abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29688;pid=29688 abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29685;pid=29685 abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29684;pid=29684 abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29687;pid=29687 abr 09 13:41:27 marte nagios[29682]: Successfully launched command file worker with pid 29691 abr 09 13:43:29 marte nagios[29682]: SERVICE ALERT: localhost;SSH;OK;HARD;4;SSH OK - OpenSSH_8.0 (protocol 2.0) abr 09 13:44:32 marte nagios[29682]: EXTERNAL COMMAND: ENABLE_SVC_NOTIFICATIONS;localhost;HTTP abr 09 13:44:50 marte nagios[29682]: EXTERNAL COMMAND: ENABLE_SVC_NOTIFICATIONS;localhost;SSH
CC: (none) => mageia
Nicolas?
Keywords: (none) => feedbackCC: (none) => andrewsfarm
Since people using this have already configured it to work and are currently using a vulnerable version, I think this update should be pushed even if it requires some configuration tinkering for new installations.
I decided to take another look at this myself, since it has been so long and there have been several updates to Mageia 7 since Comment 5. Installed nagios, nagios-www, and dependencies in a Mageia 7 Vbox Plasma guest, then got the updates with qarepo. No installation issues. Much has happened at Mageia since https://wiki.mageia.org/en/QA_procedure:Nagios was written in December 2012, making it rather dated and incomplete for a novice to follow. It really needs to be rewritten by someone who knows what he/she is doing. I referenced Bug 24290 for a procedure that is more recent. In that bug I declared testing beyond a clean install to be beyond my capabilities, and it still is, but I was able to judiciously use copy-and-paste to follow at least part of Herman's procedure: # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-05-08 10:02:46 EDT; 9s ago Main PID: 11978 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 4702) Memory: 26.4M CGroup: /system.slice/httpd.service ├─11978 /usr/sbin/httpd -DFOREGROUND ├─11980 /usr/sbin/httpd -DFOREGROUND ├─11981 /usr/sbin/httpd -DFOREGROUND ├─11982 /usr/sbin/httpd -DFOREGROUND ├─11983 /usr/sbin/httpd -DFOREGROUND └─11984 /usr/sbin/httpd -DFOREGROUND May 08 10:02:46 localhost systemd[1]: Starting The Apache HTTP Server... May 08 10:02:46 localhost httpd[11978]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress > May 08 10:02:46 localhost systemd[1]: Started The Apache HTTP Server. ~ [root@localhost ~]# systemctl -l status nagios ● nagios.service - Nagios network monitor Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@localhost ~]# systemctl -l start nagios [root@localhost ~]# systemctl -l status nagios ● nagios.service - Nagios network monitor Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2021-05-08 10:05:37 EDT; 16s ago Process: 13456 ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS) Main PID: 13457 (nagios) Tasks: 6 (limit: 4702) Memory: 2.0M CGroup: /system.slice/nagios.service ├─13457 /usr/sbin/nagios -d /etc/nagios/nagios.cfg ├─13458 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─13459 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─13460 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh ├─13461 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh └─13463 /usr/sbin/nagios -d /etc/nagios/nagios.cfg May 08 10:05:37 localhost nagios[13457]: qh: Socket '/var/spool/nagios/nagios.qh' successfully initialized May 08 10:05:37 localhost nagios[13457]: qh: core query handler registered May 08 10:05:37 localhost nagios[13457]: qh: echo service query handler registered May 08 10:05:37 localhost nagios[13457]: qh: help for the query handler registered May 08 10:05:37 localhost nagios[13457]: wproc: Successfully registered manager as @wproc with query handler May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13459;pid=13459 May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13461;pid=13461 May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13460;pid=13460 May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13458;pid=13458 May 08 10:05:37 localhost nagios[13457]: Successfully launched command file worker with pid 13463 That was as far as I could get with my ability, but it shows that the nagios service is running, apparently without error. Coupling this with Comments 5 and 7, I'm going to let this one go. Validating. Advisory in Comment 4.
CC: (none) => sysadmin-bugsKeywords: feedback => validated_updateWhiteboard: (none) => MGA7-64-OK
CVE: (none) => CVE-2020-13977Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0209.html
Status: NEW => RESOLVEDResolution: (none) => FIXED