According to the ChangeLog from the just released 1.4.10 version of nagios-plugins there was a buffer overflow in the included check_http plugin. "The major changes in this release include: Fix check_http buffer overflow vulnerability when following HTTP redirects" I added nagios-plugins-1.4.10 to the tree a few minutes ago, arch teams please stable this version.
x86 stable, please note: dodoc: CHANGES does not exist dodoc: Changelog does not exist
Builds and installs without incident, and all of 'emerge nagios' installs fine. Testing will take some time, however, because nagios must be up and running and these plugins must get used. This will take some time. Other sparc people feel free to jump in if you happen to be running nagios already.
(In reply to comment #2) > Builds and installs without incident, and all of 'emerge nagios' installs fine. > Testing will take some time, however, because nagios must be up and running > and these plugins must get used. This will take some time. Other sparc people > feel free to jump in if you happen to be running nagios already. > That is, "Builds and installs on sparc."
(In reply to comment #2) > Builds and installs without incident, and all of 'emerge nagios' installs fine. > Testing will take some time, however, because nagios must be up and running > and these plugins must get used. This will take some time. Other sparc people > feel free to jump in if you happen to be running nagios already. > You can test the plugins without setting up a full nagios environment, i.e.: /usr/nagios/libexec/check_http -H www.gentoo.de HTTP OK HTTP/1.1 200 OK - 17458 bytes in 0.205 seconds |time=0.205061s;;;0.000000 size=17458B;;;0
Sparc stable; thanks, Tobias.
ppc64 stable
(In reply to comment #1) > x86 stable, please note: > dodoc: CHANGES does not exist > dodoc: Changelog does not exist > fixed dodoc, amd64 stable too
All arches done, please file a GLSA request.
(In reply to comment #8) > All arches done, please file a GLSA request. > 11:41 < dertobi123> rbu: dunno if this one's a B2, haven't looked at the code - but the actual impact of this vulnerability should be very small, as this plugins is usually only used within nagios to monitor defined sites
(In reply to comment #9) > 11:41 < dertobi123> rbu: dunno if this one's a B2, haven't looked at the code - > but the actual impact of this vulnerability should be very small, as this > plugins is usually only used within nagios to monitor defined sites It still might allow code execution if a user is enticed to monitor a malicious system. Making a nagios admin do that might be harder than getting someone to open a crafted PDF file, but the impact is the same. Thanks for clarifying.
Personally I'd rate this as C2 and vote NO GLSA since this is quite hard to exploit.
The fix included in 1.4.10 was incomplete as per http://sourceforge.net/tracker/index.php?func=detail&aid=1813346&group_id=29880&atid=397597 I've added the patch to 1.4.10-r1, I'd suggest to utilize #196308 for stabilization.
reverting to [stable] status as per comment #12. Stabilization is handled on bug #196308
This should be B2. Nagios is widely used and some consulting outfits use it to monitor client websites.
I would rate both as C1 as the default configuration is not vulnerable.
C1 it is, and GLSA request filed.
(In reply to comment #16) > C1 it is, and GLSA request filed. (before someone else says so: I know it's not yet bug ready)
Adding back amd64 as they don't seem to have marked stable.
stable on amd64
GLSA 200711-11.
