Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598104 (CVE-2008-7313, CVE-2016-9565)

Summary: <net-analyzer/nagios-core-4.2.2: Arbitrary commands execution via shell metacharacters in https URLs
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: andrew, creffett, mjo, proxy-maint, sysadmin
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 600864    
Bug Blocks:    

Description Tomáš Mózes 2016-10-26 05:19:10 UTC
From the changelog of 4.2.2 (https://www.nagios.org/projects/nagios-core/history/4x/):

SECURITY
There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on August 1, 2016. The fix was apparently incomplete, as there was still a problem. However, we are now getting all RSS feeds using AJAX calls instead of the (outdated) MagpieRSS package. Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com).
Comment 1 Michael Orlitzky gentoo-dev 2016-10-28 15:18:35 UTC
I just added the fixed version to the tree, and removed a few older versions that weren't stable anywhere.
Comment 2 Tomáš Mózes 2016-10-29 05:29:27 UTC
(In reply to Michael Orlitzky from comment #1)
> I just added the fixed version to the tree, and removed a few older versions
> that weren't stable anywhere.

Thank you Michael.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:16:33 UTC
This issue was resolved and addressed in
 GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26
by GLSA coordinator Thomas Deutschmann (whissi).