Your message dated Mon, 08 Dec 2008 03:02:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504894: fixed in nagios3 3.0.6-1
has caused the Debian Bug report #504894,
regarding CVE-2008-5028: Nagios "cmd.cgi" cross-site request forgery
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504894: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504894
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: nagios3
Severity: grave
Tags: security patch
Hi,
The following SA (Secunia Advisory) id was published for Nagios.
SA32610[1]:
> Andreas Ericsson has discovered a vulnerability in Nagios, which can be
> exploited by malicious people to conduct cross-site request forgery
> attacks.
>
> The application allows users to perform certain actions via HTTP requests
> to "cmd.cgi" without performing any validity checks to verify the request.
> This can be exploited to execute certain Nagios commands (e.g. to disable
> notifications) when a logged-in administrator visits a malicious web site.
>
> The vulnerability is confirmed in version 3.0.5. Other versions may also be
> affected.
A proposed patch is available at [2].
If you fix the vulnerability please also make sure to include the SA id (or
the CVE id when one is assigned) in the changelog entry.
[1]http://secunia.com/Advisories/32610/
[2]http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: nagios3
Source-Version: 3.0.6-1
We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive:
nagios3-common_3.0.6-1_all.deb
to pool/main/n/nagios3/nagios3-common_3.0.6-1_all.deb
nagios3-dbg_3.0.6-1_amd64.deb
to pool/main/n/nagios3/nagios3-dbg_3.0.6-1_amd64.deb
nagios3-doc_3.0.6-1_all.deb
to pool/main/n/nagios3/nagios3-doc_3.0.6-1_all.deb
nagios3_3.0.6-1.diff.gz
to pool/main/n/nagios3/nagios3_3.0.6-1.diff.gz
nagios3_3.0.6-1.dsc
to pool/main/n/nagios3/nagios3_3.0.6-1.dsc
nagios3_3.0.6-1_amd64.deb
to pool/main/n/nagios3/nagios3_3.0.6-1_amd64.deb
nagios3_3.0.6.orig.tar.gz
to pool/main/n/nagios3/nagios3_3.0.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Wirt <[EMAIL PROTECTED]> (supplier of updated nagios3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 08 Dec 2008 02:51:21 +0100
Source: nagios3
Binary: nagios3-common nagios3 nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.0.6-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <[EMAIL PROTECTED]>
Changed-By: Alexander Wirt <[EMAIL PROTECTED]>
Description:
nagios3 - A host/service/network monitoring and management system
nagios3-common - support files for nagios3
nagios3-dbg - debugging symbols and debug stuff for nagios3
nagios3-doc - documentation for nagios3
Closes: 504894 505813 506851
Changes:
nagios3 (3.0.6-1) unstable; urgency=high
.
* New upstream version
- Even more fixes for CVE-2008-5028
* Urgency high for security fixes
* Add ${shlibs:Depends} (Fixes lintian error, as the epn debugger
should depend on libc)
* Add ${misc:Depends} to binaries (Fixes lintian warning)
.
nagios3 (3.0.5-1) unstable; urgency=low
.
[ Christian Perrier ]
* Fix pending l10n issues. Debconf translations:
- Italian. Closes: #505813
- Polish. Closes: #506851
.
[ Alexander Wirt ]
* New upstream version
- Adds security fix for cmd.cgi (Closes: #504894)
This security problem is referenced as CVE-2008-5028 and SA32610
Checksums-Sha1:
18343fd554c78bc585be812992e67e24336b1fd0 1533 nagios3_3.0.6-1.dsc
d6bd20cdc22d2b931f9ad7f9cb33ff71d2cb7d71 2735504 nagios3_3.0.6.orig.tar.gz
2ecf33611e067b819f5d30bcfaf7b42c934d9105 37133 nagios3_3.0.6-1.diff.gz
1ab06afa4f4e601f2c89c711ca840cd7e2d32e3d 1532000 nagios3_3.0.6-1_amd64.deb
404c2055d55aaa4cb8ff71b2932df2a0889ed081 2537396 nagios3-dbg_3.0.6-1_amd64.deb
e02176c1a216822be043cb3fb5ff678c22b22c6f 76622 nagios3-common_3.0.6-1_all.deb
83f525a49448d3727ccfb55c0697fb6b9343e693 2070072 nagios3-doc_3.0.6-1_all.deb
Checksums-Sha256:
18a2773acac70a9f0c2bcd042fa87c435a5f2ed8a4f6f703d3930f220e68d5fe 1533
nagios3_3.0.6-1.dsc
bedeb2c1ffbf7525ec19ac84a66bad60a19d2b0544cbf050a53bfc363c09bb22 2735504
nagios3_3.0.6.orig.tar.gz
bf54282871fb5d90bad7ea0cae80d6978f42399dbd258db809a8918a0ec31374 37133
nagios3_3.0.6-1.diff.gz
a736a8329bd53ecf6fdea5187f7d909ab20fc9c2b898e006da3aef5d96d204dd 1532000
nagios3_3.0.6-1_amd64.deb
5c214d347de97c07c899a112f1aaeaa4505e8cbbf10682446f9e8849b2ba9379 2537396
nagios3-dbg_3.0.6-1_amd64.deb
4c20e5b240077b1e99b070b433a5142d87c0d7fb9140ae2e6d5a194590068baf 76622
nagios3-common_3.0.6-1_all.deb
8a6403aa2dea2c3bd6e42819830d8b7fd55e8fc6dc432fd9a17ee9aa57c46ecd 2070072
nagios3-doc_3.0.6-1_all.deb
Files:
e221e3af03cbc51cdb0b33a94f1181cc 1533 net optional nagios3_3.0.6-1.dsc
900e3f4164f4b2a18485420eeaefe812 2735504 net optional nagios3_3.0.6.orig.tar.gz
45444fd46ad9a074959413849a69d215 37133 net optional nagios3_3.0.6-1.diff.gz
175db6bf262ae58bc6722324d4d4f883 1532000 net optional nagios3_3.0.6-1_amd64.deb
7c28d8d006547d675f9dc6f7ff1e551b 2537396 net extra
nagios3-dbg_3.0.6-1_amd64.deb
ebcfbf4cb70bd78c5ba027eb2ed41687 76622 net optional
nagios3-common_3.0.6-1_all.deb
bc9aa5f79f32a8257a34bda1da93e99c 2070072 doc optional
nagios3-doc_3.0.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkk8i0cACgkQ01u8mbx9AgpNVwCdElwpscjkvXBVcWIfdqw0FdsO
OQEAoJWQK7lRiM1H4yntriXLdf9jwcom
=uOVV
-----END PGP SIGNATURE-----
--- End Message ---
