Summary: | <net-analyzer/nagios-core-2.12-r1,3.0.6-r2 statuswml.cgi remote code exec (CVE-2009-2288) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | dertobi123 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://tracker.nagios.org/view.php?id=15 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2009-06-24 13:28:47 UTC
Added the patch added 5 days ago in upstream CVS: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/statuswml.c?r1=1.27&r2=1.28&view=patch Versions rev-bumped and bumped: =net-analyzer/nagios-core-3.1.2 =net-analyzer/nagios-core-3.0.6-r2 =net-analyzer/nagios-core-2.12-r1 Candidates for stabilization: =net-analyzer/nagios-core-3.0.6-r2 =net-analyzer/nagios-core-2.12-r1 Arches, please test and mark stable: =net-analyzer/nagios-core-3.0.6-r2 =net-analyzer/nagios-core-2.12-r1 Target keywords : "alpha amd64 ppc ppc64 sparc x86" x86 stable Both stable on alpha. ppc64 and ppc done amd64 stable sparc stable CVE-2009-2288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2288): statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters. doesn't the "nagios" ebuild need a bump as well? (In reply to comment #9) > doesn't the "nagios" ebuild need a bump as well? > no, it's just a meta-ebuild which pulls in actual nagios code (nagios-core). sorry, i mistook the ~ for a = (In reply to comment #11) > sorry, i mistook the ~ for a = > no problem :) GLSA 200907-15 |