The upstream fix for CVE-2007-5624 (bug 196732) is incomplete, there are further possibilities for XSS -- This is CVE-2007-5803. The new issue is not public as Nagios developers did not reply to the report, so please do not act on this yet.
Created attachment 142361 [details, diff] CVE-2007-5803.diff Patch proposed by Ludwig Nussel.
Created attachment 142376 [details] nagios-core-2.10-r2.ebuild Find attached a nagios-core-2.10-r2 ebuild which includes CVE-2007-5803.diff. (Just an additional epatch) Compiles fine, will do further testing.
Any news about a release date?
nagios-2.11 has been released on wednesday, its Changelog mentions "Fix for a potential cross site scripting vulnerability in the CGIs" though the proposed patch for this bug ("CVE-2007-5803") hasn't been applied yet ...
This is public via URL.
Created attachment 153125 [details, diff] nagios-2.9-CVE-2007-5803.diff Extracted from nagios-2.9-48.4.src.rpm.
http://sourceforge.net/project/shownotes.php?release_id=600377 2.12 was released with the fix.
Added both 2.12 and 3.0.2, the latter one is still p.masked. Please mark as stable: =net-analyzer/nagios-2.12 =net-analyzer/nagios-core-2.12
Sparc stable.
x86 stable
ppc64 stable
amd64 stable, all arches done.
Fixed in release snapshot.
sorry for the lag :/ time for glsa decision... XSS => I vote NO.
NO, closing.