Summary: | <net-analyzer/nagstamon-0.9.11_rc1: User credentials exposure (CVE-2013-4114) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Ewoud Kohl van Wijngaarden <ewoud+gentoo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | idl0r, sysadmin | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://nagstamon.ifw-dresden.de/docs/security/ | ||||||
Whiteboard: | B1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Ewoud Kohl van Wijngaarden
2013-07-11 13:19:17 UTC
Calling this a B1, since as best I can understand the announcement it's possible to get the remote monitoring (i.e. nagios) user's credentials. Excerpt: "A remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request." @maintainers: please ack a stable Created attachment 354002 [details]
nagstamon-0.9.10.ebuild
Since the patch is 92 lines and this is just 43, I didn't upload a patch. Changes are:
* Use distutils-r1.eclass instead of python.eclass
* Link to the new website
This could use some review:
* I'm unsure if the postinst and postrm are still needed. I didn't think so, but couldn't find it in the documentation.
* I'm now installing using setup.py, but this means the resources are duplicated for each python version.
Because of this security leak, I am using this ebuild on my desktop without any issues. If it would help to get this in the tree, I am willing to work on this with a proxy maintainer. (Or would I be the proxy maintainer? Little unclear on the exact terminology.)
Sorry for the delay. Feel free to stabilize 0.9.11_rc1. It works fine for me so I think it's ok to stabilize it. (In reply to Christian Ruppert (idl0r) from comment #3) > Sorry for the delay. Feel free to stabilize 0.9.11_rc1. It works fine for me > so I think it's ok to stabilize i Arches, please test and mark stable =net-analyzer/nagstamon-0.9.11_rc1 Target keywords: amd64 x86 (In reply to Ewoud Kohl van Wijngaarden from comment #2) > Created attachment 354002 [details] > nagstamon-0.9.10.ebuild > > Since the patch is 92 lines and this is just 43, I didn't upload a patch. > Changes are: > * Use distutils-r1.eclass instead of python.eclass > * Link to the new website > > This could use some review: > * I'm unsure if the postinst and postrm are still needed. I didn't think so, > but couldn't find it in the documentation. > * I'm now installing using setup.py, but this means the resources are > duplicated for each python version. > > Because of this security leak, I am using this ebuild on my desktop without > any issues. If it would help to get this in the tree, I am willing to work > on this with a proxy maintainer. (Or would I be the proxy maintainer? Little > unclear on the exact terminology.) Post your ebuild improvements in separate bug, please. This bug about security issue CVE-2013-4114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4114): The automatic update request in Nagstamont before 0.9.10 uses a cleartext base64 format for transmission of a username and password, which allows remote attackers to obtain sensitive information by sniffing the network. amd64 stable x86 stable Thanks to all. GLSA request filed This issue was resolved and addressed in GLSA 201401-03 at http://security.gentoo.org/glsa/glsa-201401-03.xml by GLSA coordinator Sergey Popov (pinkbyte). Not sure if this is the right place to report, but in the GLSA it states vulnerable versions is >= 0.9.11_rc1, but I think this should be <=. Also there is a workaround by disabling checks for newer versions. (In reply to Ewoud Kohl van Wijngaarden from comment #11) > Not sure if this is the right place to report, but in the GLSA it states > vulnerable versions is >= 0.9.11_rc1, but I think this should be <=. Also > there is a workaround by disabling checks for newer versions. Indeed, that's a mistake, new GLSA revision rolled out. Updated version will soon be on glsa.gentoo.org Update instructions does not changed, so, as per our policy - no republication or erratum is needed. |