From ${URL} : Description Two vulnerabilities have been reported in PNP4Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Input appended to the URL is not properly sanitised in "views/kohana_error_page.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input appended to the URL is not properly sanitised in "views/template.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Solution: Fixed in the GIT repository. Provided and/or discovered by: Reported by the vendor. Original Advisory: PNP4Nagios: https://github.com/lingej/pnp4nagios/commit/e4a19768a5c5e5b1276caf3dd5bb721a540ec014 https://github.com/lingej/pnp4nagios/commit/cb925073edeeb97eb4ce61a86cdafccc9b87f9bb
Ebuild from 0.6.21 works for 0.6.24, tested on amd64. We've been using it in production for a week now.
(In reply to Tomas Mozes from comment #1) > Ebuild from 0.6.21 works for 0.6.24, tested on amd64. We've been using it in > production for a week now. Dear Tomas, please add an alternative DEPEND on net-analyzer/ichinga2 to the upcoming ebuilds. The following diff is from my personal bumped version: --- pnp4nagios-0.6.21.ebuild.20140314-113125 2014-03-14 11:31:26.000000000 +0100 +++ pnp4nagios-0.6.24.ebuild 2014-10-23 16:25:17.184022000 +0200 @@ -16,10 +16,11 @@ IUSE="" KEYWORDS="amd64 ppc ppc64 ~sparc x86" +# 20141023/gj alternatively depend on icinga2 DEPEND="dev-lang/php[json,simplexml,zlib,xml,filter] >=dev-lang/php-5.3 >=net-analyzer/rrdtool-1.2[perl] - || ( net-analyzer/nagios-core net-analyzer/icinga )" + || ( net-analyzer/nagios-core net-analyzer/icinga net-analyzer/icinga2 )" RDEPEND="${DEPEND} virtual/perl-Getopt-Long virtual/perl-Time-HiRes
Hey Guido, I'm just a random tester, I cannot bump the version ;) By the way, we've been using 0.6.24 since 2014/08.
+*pnp4nagios-0.6.24 (24 Oct 2014) + + 24 Oct 2014; Justin Lecher <jlec@gentoo.org> +pnp4nagios-0.6.24.ebuild: + Version BUmp; fixes security issues #516078 & #516140 +
@arches, please stable.
amd64 stable
x86 stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup.
+ 10 Nov 2014; Justin Lecher <jlec@gentoo.org> -pnp4nagios-0.6.19-r1.ebuild, + -pnp4nagios-0.6.21.ebuild: + Drop old +
Justin, thank you for the very quick cleanup of vulnerable versions. Closing noglsa for XSS.
CVE-2014-4908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4908): Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper handling within an http-equiv="refresh" META element.