https://github.com/NagiosEnterprises/nagioscore/blob/master/Changelog Version 4.2.0 fixes security issues but there is a newer version 4.2.1 that fixes regressions introduced in 4.2.0.
Upstream merged the patches for 4.1.1 and after removing them nagios compiles fine, our instance seems to be running ok.
The fixed version is in the tree. During stabilization, please also get the metapackage =net-analyzer/nagios-4.2.1. I also updated the ebuild to EAPI=6 and dropped the depend.apache, multilib, and eutils eclasses. I'm fairly sure that depend.apache.eclass was only being used to define $APACHE2_MODULES_CONFDIR (which I inlined), but I would feel better if someone who uses the web interface tests it.
(In reply to Michael Orlitzky from comment #2) > The fixed version is in the tree. During stabilization, please also get the > metapackage =net-analyzer/nagios-4.2.1. > > I also updated the ebuild to EAPI=6 and dropped the depend.apache, multilib, > and eutils eclasses. I'm fairly sure that depend.apache.eclass was only > being used to define $APACHE2_MODULES_CONFDIR (which I inlined), but I would > feel better if someone who uses the web interface tests it. Thanks Michael. Tested with USE="apache2 web" and works ok.
CVE-2013-4214 was handled by bug 480352. Added to an existing GLSA.
This issue was resolved and addressed in GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26 by GLSA coordinator Thomas Deutschmann (whissi).