From the changelog of 4.2.2 (https://www.nagios.org/projects/nagios-core/history/4x/):
There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on August 1, 2016. The fix was apparently incomplete, as there was still a problem. However, we are now getting all RSS feeds using AJAX calls instead of the (outdated) MagpieRSS package. Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com).
I just added the fixed version to the tree, and removed a few older versions that weren't stable anywhere.
(In reply to Michael Orlitzky from comment #1)
> I just added the fixed version to the tree, and removed a few older versions
> that weren't stable anywhere.
Thank you Michael.
This issue was resolved and addressed in
GLSA 201702-26 at https://security.gentoo.org/glsa/201702-26
by GLSA coordinator Thomas Deutschmann (whissi).