Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 585914 (CVE-2016-6209)

Summary: <net-analyzer/{nagios-4.3.1,nagios-core-4.3.1-r1}: Reflected XSS vulnerability and possible phishing vector
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: andrew, creffett, hydrapolic, mjo, proxy-maint, sysadmin
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B4 [noglsa cve]
Package list:
=net-analyzer/nagios-4.3.1 =net-analyzer/nagios-core-4.3.1-r1
Runtime testing required: ---
Bug Depends on: 605724    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-06-14 10:32:00 UTC
From ${URL} :

It was found that nagios is vulnerable to reflected XSS and phishing vector via corewindow.

Known via:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2016-11-29 22:43:28 UTC
Still not fixed. I created an upstream bug for that issue, see $URL.
Comment 2 Thomas Deutschmann gentoo-dev 2016-12-16 18:24:14 UTC
@ Maintainer(s): Upstream has addressed the problem via which will be part of the next maintenance release. Keep in mind that they haven't fixed the issue, they just disabled the functionality per default.
Comment 3 Tomáš Mózes 2017-02-23 05:59:26 UTC
*** Bug 610646 has been marked as a duplicate of this bug. ***
Comment 4 Tomáš Mózes 2017-02-23 06:00:27 UTC
4.3.0 - 2017-02-21
* Fix for CVE-2016-6209 - The "corewindow" parameter (as in
  http://localhost/nagios? has been disabled by
default. See the UPGRADING document for how to enable it. (John Frickson)
Comment 5 Thomas Deutschmann gentoo-dev 2017-02-24 12:10:55 UTC
@ Maintainer(s): Please bump to >=net-analyzer/nagios-core-4.3.0 (4.3.1 is already available as of today).
Comment 6 Michael Orlitzky gentoo-dev 2017-02-25 19:29:42 UTC
Thanks for the heads up, I added the new version to the tree.

Beware that removal of nagios-3.x is still blocked on either bug #605724 or bug #600424.
Comment 7 Stabilization helper bot gentoo-dev 2017-02-27 15:01:05 UTC
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0/desktop) ['net-analyzer/nagios-plugins']
Comment 8 Thomas Deutschmann gentoo-dev 2017-02-27 15:30:19 UTC
Removing ia64 which was added on error.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2017-02-27 21:47:51 UTC
ppc ppc64 stable.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-28 11:25:01 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-03-02 10:30:30 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-03-02 10:47:59 UTC
x86 stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-04 12:19:03 UTC
Comment 14 Agostino Sarubbo gentoo-dev 2017-03-04 14:02:27 UTC
sparc stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-08 05:16:06 UTC
Stable for HPPA.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2017-03-08 05:21:26 UTC
Arches, Thank you for your work.
No GLSA's for Cross-Site Scripting (XSS) as per policy. 

Maintainer(s), please drop the vulnerable version(s).
Comment 17 Michael Orlitzky gentoo-dev 2017-03-08 12:51:40 UTC
I dropped the vulnerable 4.x version, but we're stuck with 3.5.1 (see comment #6).
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-13 23:00:34 UTC
cleanup will be tracked in 628086