Summary: | <net-analyzer/icinga-web-1.13.4 - possible root privilege escalation during opening logs | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Matthew Thode ( prometheanfire )
2016-12-23 03:14:06 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #0) > I'm not actually sure if the cve effects this as this is supposed to be the > front-end split out. But I've added 1.14.0 to the tree and cleaned old > packages I would suggest to close this bug (maybe as invalid) because like Matthew already suspected the net-analyzer/icinga-web package isn't affected. The vulnerable code was https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 which isn't included in this package. The icinga web component was only a potential vector to access the vulnerability because the www-user needs to access some nagios/icinga files and therefore is often added to nagios group with the result that the www-data user can start the attack. |