From $URL: In both the tools -> ping, and tools-> Traceroute WAP/WML pages, it is possible to inject arbitrary shell commands that are run as the same user as the statuswml.cgi is running as. For example, a Ping with a Host Name/Address of “173.45.235.65;echo $PATH” (entered without the quotes) will return the output from the ping command and then execute and return the output from the “echo $PATH” command. (i.e. https://somehost.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH) [^]
Added the patch added 5 days ago in upstream CVS: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/statuswml.c?r1=1.27&r2=1.28&view=patch Versions rev-bumped and bumped: =net-analyzer/nagios-core-3.1.2 =net-analyzer/nagios-core-3.0.6-r2 =net-analyzer/nagios-core-2.12-r1 Candidates for stabilization: =net-analyzer/nagios-core-3.0.6-r2 =net-analyzer/nagios-core-2.12-r1
Arches, please test and mark stable: =net-analyzer/nagios-core-3.0.6-r2 =net-analyzer/nagios-core-2.12-r1 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
x86 stable
Both stable on alpha.
ppc64 and ppc done
amd64 stable
sparc stable
CVE-2009-2288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2288): statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
doesn't the "nagios" ebuild need a bump as well?
(In reply to comment #9) > doesn't the "nagios" ebuild need a bump as well? > no, it's just a meta-ebuild which pulls in actual nagios code (nagios-core).
sorry, i mistook the ~ for a =
(In reply to comment #11) > sorry, i mistook the ~ for a = > no problem :)
GLSA 200907-15
