Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249876 (CVE-2008-6373) - net-analyzer/nagios < 3.0.6 Unspecified CGI and External Command Vulnerabilties (CVE-2008-6373)
Summary: net-analyzer/nagios < 3.0.6 Unspecified CGI and External Command Vulnerabilti...
Status: RESOLVED FIXED
Alias: CVE-2008-6373
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://secunia.com/Advisories/32909/
Whiteboard: B2 [glsa]
Keywords:
: 261058 (view as bug list)
Depends on: CVE-2008-5027
Blocks:
  Show dependency tree
 
Reported: 2008-12-04 23:45 UTC by stupendoussteve
Modified: 2009-07-19 18:14 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-12-04 23:45:57 UTC
Reported by the vendor, the changelog says a bit more at http://www.nagios.org/development/history/nagios-3x.php

From Secunia: A vulnerability with an unknown impact has been reported in Nagios.

The vulnerability is caused due to an unspecified error within "the CGIs and related to adaptive external commands". No further information is currently available.

The vulnerability is reported in versions prior to 3.0.6.

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 17:04:00 UTC
We're waiting for 3.0.7 to stabilize for bug 245887.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-03 16:26:48 UTC
*** Bug 261058 has been marked as a duplicate of this bug. ***
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-03 16:30:32 UTC
(In reply to comment #1)
> We're waiting for 3.0.7 to stabilize for bug 245887.
> 

Apparantly there's no 3.0.7 nor did i got an answer to my mail I sent to Ethan some $months ago. Therefore, lets get 3.0.6 and it's dependencies marked as stable - we do have bug #256177 for that. Adding arches.
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-03-04 16:55:10 UTC
ppc64 done in bug 256177
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2009-03-04 21:22:49 UTC
Sparc is done in Bug 256177 CC myself in case anything left out.
Comment 6 Markus Meier gentoo-dev 2009-03-07 14:48:45 UTC
amd64/x86 should be done through bug 256177
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-03-07 15:14:35 UTC
no ia64 keywords...
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-03-19 12:39:02 UTC
ppc done in bug 256177
Comment 9 Chris Gianelloni 2009-03-30 20:25:05 UTC
So there's no hope of fixing/patching the vulnerability, rather than forcing *every* Nagios user in Gentoo to switch to a new *major* version which changes and removes features and isn't backwards compatible?  I mean, the netmon herd were making *MAJOR BUG FIXES* to the ebuilds within the last couple weeks.  There's simply *no way* that this stuff has been tested well-enough.  Did anyone even bother to verify if this affected Nagios 2.x, the (well, was) current stable, or did we just all jump to stabilize the newer stuff without looking into the actual problem, off-loading the real work to every user?

Anyway, I guess this will end up being (yet another) set of ebuilds I'll have to maintain myself in my overlay.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-31 18:23:02 UTC
(In reply to comment #9)
> So there's no hope of fixing/patching the vulnerability, rather than forcing
> *every* Nagios user in Gentoo to switch to a new *major* version which changes
> and removes features and isn't backwards compatible? 

#245887 was filed beforehand.

The issue in this bugreport "should" only affect nagios-3 (nagios-2 seems affected as well, but those external commands didn't work anyway). The most precise information available was probably this post on nagios-devel mailinglist: http://marc.info/?l=nagios-devel&m=122609812202185&w=4 In Short: nagios-2 *seems* unaffected, but without auditing the code we probably can't be *sure*.

If there's something going wrong here, it's how upstream did handle this issue (I did ask on the nagios-devel mailinglist and sent a private email to Ethan Galstad - no answer received and from the mailinglist feedback you can't be sure.)

> I mean, the netmon herd
> were making *MAJOR BUG FIXES* to the ebuilds within the last couple weeks. 
> There's simply *no way* that this stuff has been tested well-enough.  Did
> anyone even bother to verify if this affected Nagios 2.x, the (well, was)
> current stable, or did we just all jump to stabilize the newer stuff without
> looking into the actual problem, off-loading the real work to every user?

Well, as said before ... Upstream seems to not be interested in maintaining any further 2.x releases, we can't be sure if it is (even partially?) affected as well. Plus, nagios-3 stabilization has been requested before - if things look  good and what i tested looks ok and there are no critical open bugs ... it's time to get something marked as stable. It's a problem when bugs slipped through, but basically - if I'm the only one testing something ... *shrugs*

> Anyway, I guess this will end up being (yet another) set of ebuilds I'll have
> to maintain myself in my overlay.

Feel free to do so ... the other option is to file bugs and get things fixed. So, what's most benefical for others as well?

Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-31 19:26:28 UTC
> it's time to get something marked as stable. It's a problem when bugs slipped
> through, but basically - if I'm the only one testing something ... *shrugs*
You're not - as I've got 2 productive Nagios Installations (3.0.x, 3.1), I'm having a look, too. I'm neither a member of the netmon herd, nor a dev, but I'm filing bugs to get things fixed.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-07-19 18:14:55 UTC
GLSA 200907-15