Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 434586 (CVE-2012-3441) - <net-analyzer/icinga-1.7.2: Insecure creation of the MySQL icinga user (CVE-2012-3441)
Summary: <net-analyzer/icinga-1.7.2: Insecure creation of the MySQL icinga user (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2012-3441
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-10 13:16 UTC by GLSAMaker/CVETool Bot
Modified: 2012-09-20 23:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-10 13:16:04 UTC 
CVE-2012-3441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3441):
  The database creation script (module/idoutils/db/scripts/create_mysqldb.sh)
  in Icinga 1.7.1 grants access to all databases to the icinga user, which
  allows icinga users to access other databases via unspecified vectors.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2012-09-10 13:17:46 UTC 
Maintainers:

This is fixed in 1.7.2. Patches are available at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3441 if you want to stay on 1.6.

Please let us know what your desired course of action is.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-10 15:27:00 UTC 
updated to 1.7.2

please stabilize 1.7.2 and let me know so I can destabilize 1.6.1-r2 (or you can do it).
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-09-10 18:51:28 UTC 
Arches, please test and mark stable:
=net-analyzer/icinga-1.7.2
Target keywords : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-09-11 18:08:33 UTC 
amd64 stable
Comment 5 Andreas Schürch gentoo-dev 2012-09-16 11:07:14 UTC 
x86 done, last arch!
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-17 19:13:43 UTC 
Thanks, everyone.

Matthew: <net-analyzer/icinga-1.7.2 can be dropped now.

GLSA vote: no.
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-17 19:54:07 UTC 
cleaned up the old stuff
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-20 07:00:43 UTC 
should this be closed (know the rules, not by me), since the affected versions are not in tree now?
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:34:18 UTC 
Thanks, folks. GLSA Vote: no. Closing.