On 12.01.2013 18:14, Alexander Wirt wrote:
On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
Package: icinga
Severity: grave
Tags: security
Justification: user security hole
This was assigned CVE-2012-6096:
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
Fix:
http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
As it currently seems this fix is incomplete. The severity of the problem
isn't hat high, so I want to wait until the icinga team has an official
patch.
Thanks to Markus Frosch who did the initial review of the Nagios patch
by Eric Stanley, I've now uploaded 1.6.2, 1.7.4 and 1.8.4 to
sourceforge. In regard of the CVE, this is considered to be fixed by
these releases.
For Icinga in currently frozen Wheezy you'll likely need this patch -
i've tested it against 1.7.1 which is the source here.
commit fc05df71d707c2692d07d4324c9061aad8f68ecf
Author: Michael Friedrich <michael.friedr...@netways.de>
Date: Sun Jan 13 22:10:10 2013 +0100
possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes
refs #3532
Conflicts:
cgi/cgiutils.c
cgi/status.c
https://git.icinga.org/?p=icinga-core.git;a=commit;h=46f55574afa934f9e0bce5e9aac7f45530ff0058
Just a final note on the duplicated cve bug for both nagios and icinga -
it would be nice to have the cve reproduced for both in the first place,
before remarking bugs on the icinga code which have not been verified
completely, neither by the reporter nor by icinga dev team itsself. A
bug report upstream would have been nice as well, this has been now done
with https://dev.icinga.org/issues/3532
Kind regards,
Michael
--
DI (FH) Michael Friedrich
mail: michael.friedr...@gmail.com
twitter: https://twitter.com/dnsmichi
jabber: dnsmi...@jabber.ccc.de
irc: irc.freenode.net/icinga dnsmichi
icinga open source monitoring
position: lead core developer
url: https://www.icinga.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
