Summary: | <net-analyzer/nagios-core-4.2.4: Root privilege escalation (CVE-2016-9566) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tomáš Mózes <hydrapolic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | creffett, mjo, sysadmin |
Priority: | Normal | Flags: | kensington:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa cve] | ||
Package list: |
=net-analyzer/nagios-core-4.2.4
=net-analyzer/nagios-4.2.4
|
Runtime testing required: | --- |
Bug Depends on: | 605724 | ||
Bug Blocks: | 600864 |
Description
Tomáš Mózes
2016-12-10 06:00:00 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1402869#c0: An unsafe file opening/creation of logging files that can be misused for root privilege escalation was found in base/logging.c. Upstream patch: https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 @ Maintainer(s): Please bump to =net-analyzer/nagios-core-4.2.4 which is already available. (In reply to Thomas Deutschmann from comment #1) > > @ Maintainer(s): Please bump to =net-analyzer/nagios-core-4.2.4 which is > already available. It's in the tree. @ Arches, please test and mark stable: =net-analyzer/nagios-core-4.2.4 =net-analyzer/nagios-4.2.4 Stable on alpha. amd64 stable x86 stable sparc stable ppc stable ppc64 stable https://bugs.gentoo.org/show_bug.cgi?id=603534 and https://bugs.gentoo.org/show_bug.cgi?id=603536 have the same issue but are cleaned up and done Stable for HPPA. Old versions have been cleaned up. (In reply to Michael Orlitzky from comment #12) > Old versions have been cleaned up. Nevermind, the removal of nagios-3.x broke the tree because net-analyzer/pnp4nagios requires it on three arches. I've filed a keyword request for icinga, which can satisfy the same dependency. Once that's done in bug 605724, some version of icinga can be stabilized, and then I can finally get rid of nagios-3.x. New GLSA request filed. This issue was resolved and addressed in GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. Maintainer(s), please drop the vulnerable version(s). I can't without breaking the tree (bug 605724). This issue was resolved and addressed in GLSA 201710-20 at https://security.gentoo.org/glsa/201710-20 by GLSA coordinator Aaron Bauman (b-man). |