Summary: | <net-analyzer/pnp4nagios-0.6.24: Two URL Cross-Site Scripting Vulnerabilities (CVE-2014-4908) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hydrapolic, jlec, sysadmin |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/58973/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-07-03 09:18:18 UTC
Ebuild from 0.6.21 works for 0.6.24, tested on amd64. We've been using it in production for a week now. (In reply to Tomas Mozes from comment #1) > Ebuild from 0.6.21 works for 0.6.24, tested on amd64. We've been using it in > production for a week now. Dear Tomas, please add an alternative DEPEND on net-analyzer/ichinga2 to the upcoming ebuilds. The following diff is from my personal bumped version: --- pnp4nagios-0.6.21.ebuild.20140314-113125 2014-03-14 11:31:26.000000000 +0100 +++ pnp4nagios-0.6.24.ebuild 2014-10-23 16:25:17.184022000 +0200 @@ -16,10 +16,11 @@ IUSE="" KEYWORDS="amd64 ppc ppc64 ~sparc x86" +# 20141023/gj alternatively depend on icinga2 DEPEND="dev-lang/php[json,simplexml,zlib,xml,filter] >=dev-lang/php-5.3 >=net-analyzer/rrdtool-1.2[perl] - || ( net-analyzer/nagios-core net-analyzer/icinga )" + || ( net-analyzer/nagios-core net-analyzer/icinga net-analyzer/icinga2 )" RDEPEND="${DEPEND} virtual/perl-Getopt-Long virtual/perl-Time-HiRes Hey Guido, I'm just a random tester, I cannot bump the version ;) By the way, we've been using 0.6.24 since 2014/08. +*pnp4nagios-0.6.24 (24 Oct 2014) + + 24 Oct 2014; Justin Lecher <jlec@gentoo.org> +pnp4nagios-0.6.24.ebuild: + Version BUmp; fixes security issues #516078 & #516140 + @arches, please stable. amd64 stable x86 stable ppc stable ppc64 stable. Maintainer(s), please cleanup. + 10 Nov 2014; Justin Lecher <jlec@gentoo.org> -pnp4nagios-0.6.19-r1.ebuild, + -pnp4nagios-0.6.21.ebuild: + Drop old + Justin, thank you for the very quick cleanup of vulnerable versions. Closing noglsa for XSS. CVE-2014-4908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4908): Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper handling within an http-equiv="refresh" META element. |