Summary: | <net-analyzer/{nagios-4.3.1,nagios-core-4.3.1-r1}: Reflected XSS vulnerability and possible phishing vector | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | andrew, creffett, hydrapolic, mjo, proxy-maint, sysadmin |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/NagiosEnterprises/nagioscore/issues/297 | ||
See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1346217 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
=net-analyzer/nagios-4.3.1
=net-analyzer/nagios-core-4.3.1-r1
|
Runtime testing required: | --- |
Bug Depends on: | 605724 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-06-14 10:32:00 UTC
Still not fixed. I created an upstream bug for that issue, see $URL. @ Maintainer(s): Upstream has addressed the problem via https://github.com/NagiosEnterprises/nagioscore/commit/78b7bdde3ab4dec265879ff1b4d49a398bf3ba9c which will be part of the next maintenance release. Keep in mind that they haven't fixed the issue, they just disabled the functionality per default. *** Bug 610646 has been marked as a duplicate of this bug. *** 4.3.0 - 2017-02-21 ------------------ SECURITY FIXES * Fix for CVE-2016-6209 - The "corewindow" parameter (as in http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by default. See the UPGRADING document for how to enable it. (John Frickson) @ Maintainer(s): Please bump to >=net-analyzer/nagios-core-4.3.0 (4.3.1 is already available as of today). Thanks for the heads up, I added the new version to the tree. Beware that removal of nagios-3.x is still blocked on either bug #605724 or bug #600424. An automated check of this bug failed - repoman reported dependency errors (7 lines truncated):
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0/desktop) ['net-analyzer/nagios-plugins']
Removing ia64 which was added on error. ppc ppc64 stable. Stable on alpha. amd64 stable x86 stable ?? sparc stable Stable for HPPA. Arches, Thank you for your work. No GLSA's for Cross-Site Scripting (XSS) as per policy. Maintainer(s), please drop the vulnerable version(s). I dropped the vulnerable 4.x version, but we're stuck with 3.5.1 (see comment #6). cleanup will be tracked in 628086 |