Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585914 (CVE-2016-6209) - <net-analyzer/{nagios-4.3.1,nagios-core-4.3.1-r1}: Reflected XSS vulnerability and possible phishing vector
Summary: <net-analyzer/{nagios-4.3.1,nagios-core-4.3.1-r1}: Reflected XSS vulnerabilit...
Status: RESOLVED FIXED
Alias: CVE-2016-6209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/NagiosEnterprises/...
Whiteboard: B4 [noglsa cve]
Keywords:
: 610646 (view as bug list)
Depends on: 605724
Blocks:
  Show dependency tree
 
Reported: 2016-06-14 10:32 UTC by Agostino Sarubbo
Modified: 2017-10-13 23:00 UTC (History)
6 users (show)

See Also:
Package list:
=net-analyzer/nagios-4.3.1 =net-analyzer/nagios-core-4.3.1-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-14 10:32:00 UTC
From ${URL} :

It was found that nagios is vulnerable to reflected XSS and phishing vector via corewindow.

Known via:

http://seclists.org/fulldisclosure/2016/Jun/20


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-29 22:43:28 UTC
Still not fixed. I created an upstream bug for that issue, see $URL.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-16 18:24:14 UTC
@ Maintainer(s): Upstream has addressed the problem via https://github.com/NagiosEnterprises/nagioscore/commit/78b7bdde3ab4dec265879ff1b4d49a398bf3ba9c which will be part of the next maintenance release. Keep in mind that they haven't fixed the issue, they just disabled the functionality per default.
Comment 3 Tomáš Mózes 2017-02-23 05:59:26 UTC
*** Bug 610646 has been marked as a duplicate of this bug. ***
Comment 4 Tomáš Mózes 2017-02-23 06:00:27 UTC
4.3.0 - 2017-02-21
------------------
SECURITY FIXES
* Fix for CVE-2016-6209 - The "corewindow" parameter (as in
  http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by
default. See the UPGRADING document for how to enable it. (John Frickson)
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-02-24 12:10:55 UTC
@ Maintainer(s): Please bump to >=net-analyzer/nagios-core-4.3.0 (4.3.1 is already available as of today).
Comment 6 Michael Orlitzky gentoo-dev 2017-02-25 19:29:42 UTC
Thanks for the heads up, I added the new version to the tree.

Beware that removal of nagios-3.x is still blocked on either bug #605724 or bug #600424.
Comment 7 Stabilization helper bot gentoo-dev 2017-02-27 15:01:05 UTC
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['net-analyzer/nagios-plugins']
> dependency.bad net-analyzer/nagios/nagios-4.3.1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0/desktop) ['net-analyzer/nagios-plugins']
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-02-27 15:30:19 UTC
Removing ia64 which was added on error.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2017-02-27 21:47:51 UTC
ppc ppc64 stable.
Comment 10 Tobias Klausmann gentoo-dev 2017-02-28 11:25:01 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-03-02 10:30:30 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-03-02 10:47:59 UTC
x86 stable
Comment 13 Jeroen Roovers gentoo-dev 2017-03-04 12:19:03 UTC
??
Comment 14 Agostino Sarubbo gentoo-dev 2017-03-04 14:02:27 UTC
sparc stable
Comment 15 Jeroen Roovers gentoo-dev 2017-03-08 05:16:06 UTC
Stable for HPPA.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-08 05:21:26 UTC
Arches, Thank you for your work.
No GLSA's for Cross-Site Scripting (XSS) as per policy. 

Maintainer(s), please drop the vulnerable version(s).
Comment 17 Michael Orlitzky gentoo-dev 2017-03-08 12:51:40 UTC
I dropped the vulnerable 4.x version, but we're stuck with 3.5.1 (see comment #6).
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-13 23:00:34 UTC
cleanup will be tracked in 628086