CVE-2014-4703 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4703): lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701. CVE-2014-4702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4702): The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701. CVE-2014-4701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4701): The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702. Maintainer(s), should we stabilize 2.0.3 or 2.0.3-r1?
Huh, I missed this. I just committed an -r2 with some small fixes. Please stabilize that.
Arches, please test and mark stable: =net-analyzer/nagios-plugins-2.0.3-r2 Target Keywords : "alpha amd64 hppa ppc ppc64 sparc x86" Thank you!
amd64 stable
ppc stable
x86 stable
Stable for HPPA PPC64.
alpha stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
The older versions have been removed: 25 Jul 2015; Michael Orlitzky <mjo@gentoo.org> -nagios-plugins-1.4.16-r2.ebuild, -nagios-plugins-1.4.16-r3.ebuild, -nagios-plugins-2.0.3.ebuild, metadata.xml: Remove old versions for bug #534676. One of the 1.4.x versions was stable on arm64, so I've CCed them just in case that was important to someone.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA Vote: No