Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 595194 (CVE-2008-4796) - <net-analyzer/nagios-core-4.2.0: snoopy: command execution via shell metacharacters (CVE-2008-4796)
Summary: <net-analyzer/nagios-core-4.2.0: snoopy: command execution via shell metachar...
Status: RESOLVED FIXED
Alias: CVE-2008-4796
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-26 12:22 UTC by Tomáš Mózes
Modified: 2017-02-21 00:14 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2016-09-26 12:22:27 UTC
https://github.com/NagiosEnterprises/nagioscore/blob/master/Changelog

Version 4.2.0 fixes security issues but there is a newer version 4.2.1 that fixes regressions introduced in 4.2.0.
Comment 1 Tomáš Mózes 2016-09-26 12:53:46 UTC
Upstream merged the patches for 4.1.1 and after removing them nagios compiles fine, our instance seems to be running ok.
Comment 2 Michael Orlitzky gentoo-dev 2016-09-26 13:28:52 UTC
The fixed version is in the tree. During stabilization, please also get the metapackage =net-analyzer/nagios-4.2.1.

I also updated the ebuild to EAPI=6 and dropped the depend.apache, multilib, and eutils eclasses. I'm fairly sure that depend.apache.eclass was only being used to define $APACHE2_MODULES_CONFDIR (which I inlined), but I would feel better if someone who uses the web interface tests it.
Comment 3 Tomáš Mózes 2016-09-26 21:33:43 UTC
(In reply to Michael Orlitzky from comment #2)
> The fixed version is in the tree. During stabilization, please also get the
> metapackage =net-analyzer/nagios-4.2.1.
> 
> I also updated the ebuild to EAPI=6 and dropped the depend.apache, multilib,
> and eutils eclasses. I'm fairly sure that depend.apache.eclass was only
> being used to define $APACHE2_MODULES_CONFDIR (which I inlined), but I would
> feel better if someone who uses the web interface tests it.

Thanks Michael. Tested with USE="apache2 web" and works ok.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-01-31 12:59:35 UTC
CVE-2013-4214 was handled by bug 480352.


Added to an existing GLSA.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:14:18 UTC
This issue was resolved and addressed in
 GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26
by GLSA coordinator Thomas Deutschmann (whissi).