From $url: Nagstamon prior to version 0.9.10 has a grave security hole built in. The automatic request to http://nagstamon.sourceforge.net/latest_version_<version> to get update information contained the username and password of one of your monitor servers. Yes, username and password - in plain base64 text format in the HTTP Basic Auth header. Reproducible: Always
Calling this a B1, since as best I can understand the announcement it's possible to get the remote monitoring (i.e. nagios) user's credentials. Excerpt: "A remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request." @maintainers: please ack a stable
Created attachment 354002 [details] nagstamon-0.9.10.ebuild Since the patch is 92 lines and this is just 43, I didn't upload a patch. Changes are: * Use distutils-r1.eclass instead of python.eclass * Link to the new website This could use some review: * I'm unsure if the postinst and postrm are still needed. I didn't think so, but couldn't find it in the documentation. * I'm now installing using setup.py, but this means the resources are duplicated for each python version. Because of this security leak, I am using this ebuild on my desktop without any issues. If it would help to get this in the tree, I am willing to work on this with a proxy maintainer. (Or would I be the proxy maintainer? Little unclear on the exact terminology.)
Sorry for the delay. Feel free to stabilize 0.9.11_rc1. It works fine for me so I think it's ok to stabilize it.
(In reply to Christian Ruppert (idl0r) from comment #3) > Sorry for the delay. Feel free to stabilize 0.9.11_rc1. It works fine for me > so I think it's ok to stabilize i Arches, please test and mark stable =net-analyzer/nagstamon-0.9.11_rc1 Target keywords: amd64 x86
(In reply to Ewoud Kohl van Wijngaarden from comment #2) > Created attachment 354002 [details] > nagstamon-0.9.10.ebuild > > Since the patch is 92 lines and this is just 43, I didn't upload a patch. > Changes are: > * Use distutils-r1.eclass instead of python.eclass > * Link to the new website > > This could use some review: > * I'm unsure if the postinst and postrm are still needed. I didn't think so, > but couldn't find it in the documentation. > * I'm now installing using setup.py, but this means the resources are > duplicated for each python version. > > Because of this security leak, I am using this ebuild on my desktop without > any issues. If it would help to get this in the tree, I am willing to work > on this with a proxy maintainer. (Or would I be the proxy maintainer? Little > unclear on the exact terminology.) Post your ebuild improvements in separate bug, please. This bug about security issue
CVE-2013-4114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4114): The automatic update request in Nagstamont before 0.9.10 uses a cleartext base64 format for transmission of a username and password, which allows remote attackers to obtain sensitive information by sniffing the network.
amd64 stable
x86 stable
Thanks to all. GLSA request filed
This issue was resolved and addressed in GLSA 201401-03 at http://security.gentoo.org/glsa/glsa-201401-03.xml by GLSA coordinator Sergey Popov (pinkbyte).
Not sure if this is the right place to report, but in the GLSA it states vulnerable versions is >= 0.9.11_rc1, but I think this should be <=. Also there is a workaround by disabling checks for newer versions.
(In reply to Ewoud Kohl van Wijngaarden from comment #11) > Not sure if this is the right place to report, but in the GLSA it states > vulnerable versions is >= 0.9.11_rc1, but I think this should be <=. Also > there is a workaround by disabling checks for newer versions. Indeed, that's a mistake, new GLSA revision rolled out. Updated version will soon be on glsa.gentoo.org Update instructions does not changed, so, as per our policy - no republication or erratum is needed.