From ${URL} : It was found that nagios is vulnerable to reflected XSS and phishing vector via corewindow. Known via: http://seclists.org/fulldisclosure/2016/Jun/20 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Still not fixed. I created an upstream bug for that issue, see $URL.
@ Maintainer(s): Upstream has addressed the problem via https://github.com/NagiosEnterprises/nagioscore/commit/78b7bdde3ab4dec265879ff1b4d49a398bf3ba9c which will be part of the next maintenance release. Keep in mind that they haven't fixed the issue, they just disabled the functionality per default.
*** Bug 610646 has been marked as a duplicate of this bug. ***
4.3.0 - 2017-02-21 ------------------ SECURITY FIXES * Fix for CVE-2016-6209 - The "corewindow" parameter (as in http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by default. See the UPGRADING document for how to enable it. (John Frickson)
@ Maintainer(s): Please bump to >=net-analyzer/nagios-core-4.3.0 (4.3.1 is already available as of today).
Thanks for the heads up, I added the new version to the tree. Beware that removal of nagios-3.x is still blocked on either bug #605724 or bug #600424.
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): > dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins'] > dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins'] > dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0/desktop) ['net-analyzer/nagios-plugins']
Removing ia64 which was added on error.
ppc ppc64 stable.
Stable on alpha.
amd64 stable
x86 stable
??
sparc stable
Stable for HPPA.
Arches, Thank you for your work. No GLSA's for Cross-Site Scripting (XSS) as per policy. Maintainer(s), please drop the vulnerable version(s).
I dropped the vulnerable 4.x version, but we're stuck with 3.5.1 (see comment #6).
cleanup will be tracked in 628086