Reported by the vendor, the changelog says a bit more at http://www.nagios.org/development/history/nagios-3x.php From Secunia: A vulnerability with an unknown impact has been reported in Nagios. The vulnerability is caused due to an unspecified error within "the CGIs and related to adaptive external commands". No further information is currently available. The vulnerability is reported in versions prior to 3.0.6. Reproducible: Always
We're waiting for 3.0.7 to stabilize for bug 245887.
*** Bug 261058 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > We're waiting for 3.0.7 to stabilize for bug 245887. > Apparantly there's no 3.0.7 nor did i got an answer to my mail I sent to Ethan some $months ago. Therefore, lets get 3.0.6 and it's dependencies marked as stable - we do have bug #256177 for that. Adding arches.
ppc64 done in bug 256177
Sparc is done in Bug 256177 CC myself in case anything left out.
amd64/x86 should be done through bug 256177
no ia64 keywords...
ppc done in bug 256177
So there's no hope of fixing/patching the vulnerability, rather than forcing *every* Nagios user in Gentoo to switch to a new *major* version which changes and removes features and isn't backwards compatible? I mean, the netmon herd were making *MAJOR BUG FIXES* to the ebuilds within the last couple weeks. There's simply *no way* that this stuff has been tested well-enough. Did anyone even bother to verify if this affected Nagios 2.x, the (well, was) current stable, or did we just all jump to stabilize the newer stuff without looking into the actual problem, off-loading the real work to every user? Anyway, I guess this will end up being (yet another) set of ebuilds I'll have to maintain myself in my overlay.
(In reply to comment #9) > So there's no hope of fixing/patching the vulnerability, rather than forcing > *every* Nagios user in Gentoo to switch to a new *major* version which changes > and removes features and isn't backwards compatible? #245887 was filed beforehand. The issue in this bugreport "should" only affect nagios-3 (nagios-2 seems affected as well, but those external commands didn't work anyway). The most precise information available was probably this post on nagios-devel mailinglist: http://marc.info/?l=nagios-devel&m=122609812202185&w=4 In Short: nagios-2 *seems* unaffected, but without auditing the code we probably can't be *sure*. If there's something going wrong here, it's how upstream did handle this issue (I did ask on the nagios-devel mailinglist and sent a private email to Ethan Galstad - no answer received and from the mailinglist feedback you can't be sure.) > I mean, the netmon herd > were making *MAJOR BUG FIXES* to the ebuilds within the last couple weeks. > There's simply *no way* that this stuff has been tested well-enough. Did > anyone even bother to verify if this affected Nagios 2.x, the (well, was) > current stable, or did we just all jump to stabilize the newer stuff without > looking into the actual problem, off-loading the real work to every user? Well, as said before ... Upstream seems to not be interested in maintaining any further 2.x releases, we can't be sure if it is (even partially?) affected as well. Plus, nagios-3 stabilization has been requested before - if things look good and what i tested looks ok and there are no critical open bugs ... it's time to get something marked as stable. It's a problem when bugs slipped through, but basically - if I'm the only one testing something ... *shrugs* > Anyway, I guess this will end up being (yet another) set of ebuilds I'll have > to maintain myself in my overlay. Feel free to do so ... the other option is to file bugs and get things fixed. So, what's most benefical for others as well?
> it's time to get something marked as stable. It's a problem when bugs slipped > through, but basically - if I'm the only one testing something ... *shrugs* You're not - as I've got 2 productive Nagios Installations (3.0.x, 3.1), I'm having a look, too. I'm neither a member of the netmon herd, nor a dev, but I'm filing bugs to get things fixed.
GLSA 200907-15
