CVE-2013-7205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7205): Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read. CVE-2013-7108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7108): Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
Bumped. Arches, please test and mark stable: =net-analyzer/nagios-core-3.5.1 Target arches: alpha amd64 arm hppa ppc ppc64 sparc x86
My mistake, should have added nagios, and arm wasn't stable before. New stable targets: =net-analyzer/nagios-3.5.1 =net-analyzer/nagios-core-3.5.1 Target arches: alpha amd64 hppa ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
ppc64 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
@Alexander, creffett: do either of you mind if I drop nagios and nagios core before 3.5.1?
GLSA Vote: Yes due to existing GLSA request for bug 447802
(In reply to Kristian Fiskerstrand from comment #12) > GLSA Vote: Yes due to existing GLSA request for bug 447802 Agreed.
I meant "Andrew" in my last comment, not "Alexander," sorry. I blame the Hamilton. Also: ping! We've got at least three security bugs open for <nagios-3.5.1 so I'd like to get rid of them. If I don't hear an objection for a while, I'll do the easier-to-ask-forgiveness thing =)
This issue was resolved and addressed in GLSA 201412-23 at http://security.gentoo.org/glsa/glsa-201412-23.xml by GLSA coordinator Sean Amoss (ackle).
(In reply to Agostino Sarubbo from comment #9) > sparc stable. Only nagios-core-3.5.1 is stable for sparc, but not nagios-3.5.1. Is this intentional?
For net-analyzer/nagios-3.5.1: KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ppc ~ppc64 ~sparc x86" and net-analyzer/nagios-core-3.5.1: KEYWORDS="alpha amd64 ~arm ~arm64 hppa ppc ppc64 sparc x86" It looks like we need alpha, ppc, ppc64, and sparc stabilizations for =net-analyzer/nagios-3.5.1.
Reopening for stabilization as per comment #17.
Looks like with a bit of confusion some arches stabilizations were missed. Please stabilize: =net-analyzer/nagios-3.5.1 Target missed arches: alpha ppc ppc64 sparc
GLSA for this is already out c.f comment #15. Cleanup done, closing.