4.2.3 - 2016-11-21 ------------------- SECURITY FIXES * Fixed a root privilege escalation (CVE-2016-8641) (John Frickson) FIXES * external command during reload doesn't work (John Frickson) * Nagios provides no error condition as to why it fails on the verify for serviceescalation (John Frickson) * No root group in FreeBSD and Apple OS X (John Frickson) * jsonquery.html doesn't display scheduled_time_ok correctly (John Frickson) * daemon_dumps_core=1 has no effect on Linux when Nagios started as root (John Frickson) * Configuration check in hostgroup - misspelled hostname does not error (John Frickson) * contacts or contact_groups directive with no value should not be allowed (John Frickson) * Compile 64-bit on SPARC produces LD error (John Frickson) * HOSTSTATEID returns 0 even if host does not exist (John Frickson) * Submitting UNREACHABLE passive result for host sets it as DOWN if the host has no parents (John Frickson) * nagios: job XX (pid=YY): read() returned error 11 (changed from LOG_ERR to LOG_NOTICE) (John Frickson) * Fix for quick search not showing services if wildcard used (John Frickson)
The new version's in the tree.
@ Maintainer(s): Are we really affected? We don't use upstream's runscript. Because https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9f880e8b090e0ed41903fe06f4d64f58580b531 didn't touch our runscript, please double check and confirm that we don't do the same mistake: https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1.patch If you do not understand the problem from reviewing upstream changes please ping security for help.
(In reply to Thomas Deutschmann from comment #2) > please double check and confirm that we don't do the same mistake: > You're right, I should have checked the diff. I'll have to put out an -r1 with a new init script.
Done. The init script was fiddling with some things that, in my opinion, it shouldn't have. Hopefully no one reports a crazy corner case that I just broke. commit 6371a02d00ea5b9bd43d92ab63ee8f81fa9b68e3 Author: Michael Orlitzky <mjo@gentoo.org> Date: Sun Dec 4 10:46:25 2016 -0500 net-analyzer/nagios-core: new revision and init script to fix CVE-2016-8641. The new version 4.2.3 was added to fix CVE-2016-8641 in commit c9f880e. However, the root privilege exploit results from the use of "chown" in the init script. We don't use upstream's init script, so a proper fix requires an update to our init script as well. The following changes were made to the init script: * We no longer attempt to delete the external command file before starting or stopping the daemon. It's not clear why this was done, and that file should not exist unless the user intentionally creates it. * We do not create or change ownership of /var/nagios/nagios.log or /var/nagios/status.sav when starting the daemon. The log file path is defined in the config file, so the hard-coded path in the init script might not have referred to the true location of the log file. And when the nagios daemon creates these files on its own, they should already have the correct permissions and ownership. By removing the "chown", we have actually fixed the root privilege exploit in CVE-2016-8641. * The two files /var/nagios/status.log and /var/nagios/nagios.tmp are not deleted after the daemon has shut down. I can come up with no compelling argument to do so. Gentoo-Bug: 600864 Package-Manager: portage-2.3.0
Right, on Gentoo exploitation was possible via "/var/nagios/nagios.log" or "/var/nagios/status.sav" file. This is now fixed. Thanks for the rev bump! @ Arches, please test and mark stable: =net-analyzer/nagios-core-4.2.3-r1 =net-analyzer/nagios-4.2.3
Stable on alpha.
amd64 stable
x86 stable
This issue was resolved and addressed in GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26 by GLSA coordinator Thomas Deutschmann (whissi).