|Summary:||net-analyzer/nagios < 3.0.6 Unspecified CGI and External Command Vulnerabilties (CVE-2008-6373)|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||dertobi123, fmccor, netmon, wolf31o2|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||245887|
Description stupendoussteve 2008-12-04 23:45:57 UTC
Reported by the vendor, the changelog says a bit more at http://www.nagios.org/development/history/nagios-3x.php From Secunia: A vulnerability with an unknown impact has been reported in Nagios. The vulnerability is caused due to an unspecified error within "the CGIs and related to adaptive external commands". No further information is currently available. The vulnerability is reported in versions prior to 3.0.6. Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) 2009-01-13 17:04:00 UTC
We're waiting for 3.0.7 to stabilize for bug 245887.
Comment 2 Tobias Scherbaum (RETIRED) 2009-03-03 16:26:48 UTC
*** Bug 261058 has been marked as a duplicate of this bug. ***
Comment 3 Tobias Scherbaum (RETIRED) 2009-03-03 16:30:32 UTC
(In reply to comment #1) > We're waiting for 3.0.7 to stabilize for bug 245887. > Apparantly there's no 3.0.7 nor did i got an answer to my mail I sent to Ethan some $months ago. Therefore, lets get 3.0.6 and it's dependencies marked as stable - we do have bug #256177 for that. Adding arches.
Comment 5 Ferris McCormick (RETIRED) 2009-03-04 21:22:49 UTC
Sparc is done in Bug 256177 CC myself in case anything left out.
Comment 7 Raúl Porcel (RETIRED) 2009-03-07 15:14:35 UTC
no ia64 keywords...
Comment 9 Chris Gianelloni 2009-03-30 20:25:05 UTC
So there's no hope of fixing/patching the vulnerability, rather than forcing *every* Nagios user in Gentoo to switch to a new *major* version which changes and removes features and isn't backwards compatible? I mean, the netmon herd were making *MAJOR BUG FIXES* to the ebuilds within the last couple weeks. There's simply *no way* that this stuff has been tested well-enough. Did anyone even bother to verify if this affected Nagios 2.x, the (well, was) current stable, or did we just all jump to stabilize the newer stuff without looking into the actual problem, off-loading the real work to every user? Anyway, I guess this will end up being (yet another) set of ebuilds I'll have to maintain myself in my overlay.
Comment 10 Tobias Scherbaum (RETIRED) 2009-03-31 18:23:02 UTC
(In reply to comment #9) > So there's no hope of fixing/patching the vulnerability, rather than forcing > *every* Nagios user in Gentoo to switch to a new *major* version which changes > and removes features and isn't backwards compatible? #245887 was filed beforehand. The issue in this bugreport "should" only affect nagios-3 (nagios-2 seems affected as well, but those external commands didn't work anyway). The most precise information available was probably this post on nagios-devel mailinglist: http://marc.info/?l=nagios-devel&m=122609812202185&w=4 In Short: nagios-2 *seems* unaffected, but without auditing the code we probably can't be *sure*. If there's something going wrong here, it's how upstream did handle this issue (I did ask on the nagios-devel mailinglist and sent a private email to Ethan Galstad - no answer received and from the mailinglist feedback you can't be sure.) > I mean, the netmon herd > were making *MAJOR BUG FIXES* to the ebuilds within the last couple weeks. > There's simply *no way* that this stuff has been tested well-enough. Did > anyone even bother to verify if this affected Nagios 2.x, the (well, was) > current stable, or did we just all jump to stabilize the newer stuff without > looking into the actual problem, off-loading the real work to every user? Well, as said before ... Upstream seems to not be interested in maintaining any further 2.x releases, we can't be sure if it is (even partially?) affected as well. Plus, nagios-3 stabilization has been requested before - if things look good and what i tested looks ok and there are no critical open bugs ... it's time to get something marked as stable. It's a problem when bugs slipped through, but basically - if I'm the only one testing something ... *shrugs* > Anyway, I guess this will end up being (yet another) set of ebuilds I'll have > to maintain myself in my overlay. Feel free to do so ... the other option is to file bugs and get things fixed. So, what's most benefical for others as well?
Comment 11 Stefan Behte (RETIRED) 2009-03-31 19:26:28 UTC
> it's time to get something marked as stable. It's a problem when bugs slipped > through, but basically - if I'm the only one testing something ... *shrugs* You're not - as I've got 2 productive Nagios Installations (3.0.x, 3.1), I'm having a look, too. I'm neither a member of the netmon herd, nor a dev, but I'm filing bugs to get things fixed.
Comment 12 Robert Buchholz (RETIRED) 2009-07-19 18:14:55 UTC