Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727662 (CVE-2020-13977) - <net-analyzer/nagios-4.4.6: URL injection (post-authentication) vulnerability (CVE-2020-13977)
Summary: <net-analyzer/nagios-4.4.6: URL injection (post-authentication) vulnerability...
Status: RESOLVED FIXED
Alias: CVE-2020-13977
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-09 13:58 UTC by Sam James
Modified: 2020-06-18 03:19 UTC (History)
2 users (show)

See Also:
Package list:
=net-analyzer/nagios-4.4.6 =net-analyzer/nagios-core-4.4.6
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-06-09 13:58:00 UTC
Description:
"Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files."
Comment 1 Sam James archtester gentoo-dev Security 2020-06-09 13:58:45 UTC
@maintainer(s), please bump to 4.4.6.
Comment 2 Michael Orlitzky gentoo-dev 2020-06-09 19:33:31 UTC
Already added a month ago, feel free to stabilize.
Comment 3 Sam James archtester gentoo-dev Security 2020-06-09 19:43:36 UTC
(In reply to Michael Orlitzky from comment #2)
> Already added a month ago, feel free to stabilize.

Thank you! Sorry, not sure how I missed it earlier.
Comment 4 NATTkA bot gentoo-dev 2020-06-09 19:44:38 UTC
Sanity check failed:

> net-analyzer/nagios-4.4.6
>   rdepend amd64 stable profile default/linux/amd64/17.0 (66 total)
>     ~net-analyzer/nagios-core-4.4.6
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     ~net-analyzer/nagios-core-4.4.6
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-10 13:02:20 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-11 08:27:04 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-11 08:30:30 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-11 08:32:40 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-11 08:35:51 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Larry the Git Cow gentoo-dev 2020-06-11 12:34:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40f9c50e93d99e5afbddadfa6373e5637ff5a6e3

commit 40f9c50e93d99e5afbddadfa6373e5637ff5a6e3
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-11 12:29:42 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-11 12:31:50 +0000

    net-analyzer/nagios-core: remove old version subject to CVE-2020-13977.
    
    Bug: https://bugs.gentoo.org/727662
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 net-analyzer/nagios-core/Manifest                  |   1 -
 .../nagios-core/nagios-core-4.4.5-r6.ebuild        | 242 ---------------------
 2 files changed, 243 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01331133cc7b2bf1a859749a8e3d9902ac46be4c

commit 01331133cc7b2bf1a859749a8e3d9902ac46be4c
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-11 12:28:24 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-11 12:31:50 +0000

    net-analyzer/nagios: remove old version vulnerable to CVE-2020-13977.
    
    Bug: https://bugs.gentoo.org/727662
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 net-analyzer/nagios/nagios-4.4.5.ebuild | 15 ---------------
 1 file changed, 15 deletions(-)