Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598104 (CVE-2008-7313, CVE-2016-9565) - <net-analyzer/nagios-core-4.2.2: Arbitrary commands execution via shell metacharacters in https URLs
Summary: <net-analyzer/nagios-core-4.2.2: Arbitrary commands execution via shell metac...
Status: RESOLVED FIXED
Alias: CVE-2008-7313, CVE-2016-9565
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve blocked]
Keywords:
Depends on: CVE-2016-8641
Blocks:
  Show dependency tree
 
Reported: 2016-10-26 05:19 UTC by Tomáš Mózes
Modified: 2017-02-21 00:16 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2016-10-26 05:19:10 UTC 
From the changelog of 4.2.2 (https://www.nagios.org/projects/nagios-core/history/4x/):

SECURITY
There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on August 1, 2016. The fix was apparently incomplete, as there was still a problem. However, we are now getting all RSS feeds using AJAX calls instead of the (outdated) MagpieRSS package. Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com).
Comment 1 Michael Orlitzky gentoo-dev 2016-10-28 15:18:35 UTC 
I just added the fixed version to the tree, and removed a few older versions that weren't stable anywhere.
Comment 2 Tomáš Mózes 2016-10-29 05:29:27 UTC 
(In reply to Michael Orlitzky from comment #1)
> I just added the fixed version to the tree, and removed a few older versions
> that weren't stable anywhere.

Thank you Michael.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:16:33 UTC 
This issue was resolved and addressed in
 GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26
by GLSA coordinator Thomas Deutschmann (whissi).