4.2.4 - 2016-12-07 ------------------ SECURITY FIXES * Fixed another root privilege escalation (CVE-2016-9566) Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com).
From https://bugzilla.redhat.com/show_bug.cgi?id=1402869#c0: An unsafe file opening/creation of logging files that can be misused for root privilege escalation was found in base/logging.c. Upstream patch: https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 @ Maintainer(s): Please bump to =net-analyzer/nagios-core-4.2.4 which is already available.
(In reply to Thomas Deutschmann from comment #1) > > @ Maintainer(s): Please bump to =net-analyzer/nagios-core-4.2.4 which is > already available. It's in the tree.
@ Arches, please test and mark stable: =net-analyzer/nagios-core-4.2.4 =net-analyzer/nagios-4.2.4
Stable on alpha.
amd64 stable
x86 stable
sparc stable
ppc stable
ppc64 stable
https://bugs.gentoo.org/show_bug.cgi?id=603534 and https://bugs.gentoo.org/show_bug.cgi?id=603536 have the same issue but are cleaned up and done
Stable for HPPA.
Old versions have been cleaned up.
(In reply to Michael Orlitzky from comment #12) > Old versions have been cleaned up. Nevermind, the removal of nagios-3.x broke the tree because net-analyzer/pnp4nagios requires it on three arches. I've filed a keyword request for icinga, which can satisfy the same dependency. Once that's done in bug 605724, some version of icinga can be stabilized, and then I can finally get rid of nagios-3.x.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup.
Maintainer(s), please drop the vulnerable version(s).
I can't without breaking the tree (bug 605724).
This issue was resolved and addressed in GLSA 201710-20 at https://security.gentoo.org/glsa/201710-20 by GLSA coordinator Aaron Bauman (b-man).