585914 – (CVE-2016-6209) <net-analyzer/{nagios-4.3.1,nagios-core-4.3.1-r1}: Reflected XSS vulnerability and possible phishing vector

Bug 585914 (CVE-2016-6209) - <net-analyzer/{nagios-4.3.1,nagios-core-4.3.1-r1}: Reflected XSS vulnerability and possible phishing vector

Summary: <net-analyzer/{nagios-4.3.1,nagios-core-4.3.1-r1}: Reflected XSS vulnerabilit...

Status:	RESOLVED FIXED

Alias:	CVE-2016-6209

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/NagiosEnterprises/...
Whiteboard:	B4 [noglsa cve]
Keywords:

Duplicates (1):	610646 (view as bug list)
Depends on:	605724
Blocks:
	Show dependency tree

Reported:	2016-06-14 10:32 UTC by Agostino Sarubbo
Modified:	2017-10-13 23:00 UTC (History)
CC List:	6 users (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1346217
Package list:	=net-analyzer/nagios-4.3.1 =net-analyzer/nagios-core-4.3.1-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-06-14 10:32:00 UTC

From ${URL} :

It was found that nagios is vulnerable to reflected XSS and phishing vector via corewindow.

Known via:

http://seclists.org/fulldisclosure/2016/Jun/20


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-29 22:43:28 UTC

Still not fixed. I created an upstream bug for that issue, see $URL.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-16 18:24:14 UTC

@ Maintainer(s): Upstream has addressed the problem via https://github.com/NagiosEnterprises/nagioscore/commit/78b7bdde3ab4dec265879ff1b4d49a398bf3ba9c which will be part of the next maintenance release. Keep in mind that they haven't fixed the issue, they just disabled the functionality per default.

Comment 3 Tomáš Mózes 2017-02-23 05:59:26 UTC

*** Bug 610646 has been marked as a duplicate of this bug. ***

Comment 4 Tomáš Mózes 2017-02-23 06:00:27 UTC

4.3.0 - 2017-02-21
------------------
SECURITY FIXES
* Fix for CVE-2016-6209 - The "corewindow" parameter (as in
  http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by
default. See the UPGRADING document for how to enable it. (John Frickson)

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-24 12:10:55 UTC

@ Maintainer(s): Please bump to >=net-analyzer/nagios-core-4.3.0 (4.3.1 is already available as of today).

Comment 6 Michael Orlitzky gentoo-dev

2017-02-25 19:29:42 UTC

Thanks for the heads up, I added the new version to the tree.

Beware that removal of nagios-3.x is still blocked on either bug #605724 or bug #600424.

Comment 7 Stabilization helper bot gentoo-dev

2017-02-27 15:01:05 UTC

An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0/desktop) ['net-analyzer/nagios-plugins']

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-27 15:30:19 UTC

Removing ia64 which was added on error.

Comment 9 Michael Weber (RETIRED) gentoo-dev

2017-02-27 21:47:51 UTC

ppc ppc64 stable.

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2017-02-28 11:25:01 UTC

Stable on alpha.

Comment 11 Agostino Sarubbo gentoo-dev

2017-03-02 10:30:30 UTC

amd64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2017-03-02 10:47:59 UTC

x86 stable

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2017-03-04 12:19:03 UTC

??

Comment 14 Agostino Sarubbo gentoo-dev

2017-03-04 14:02:27 UTC

sparc stable

Comment 15 Jeroen Roovers (RETIRED) gentoo-dev

2017-03-08 05:16:06 UTC

Stable for HPPA.

Comment 16 Yury German Gentoo Infrastructure

2017-03-08 05:21:26 UTC

Arches, Thank you for your work.
No GLSA's for Cross-Site Scripting (XSS) as per policy. 

Maintainer(s), please drop the vulnerable version(s).

Comment 17 Michael Orlitzky gentoo-dev

2017-03-08 12:51:40 UTC

I dropped the vulnerable 4.x version, but we're stuck with 3.5.1 (see comment #6).

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2017-10-13 23:00:34 UTC

cleanup will be tracked in 628086