[Secure-testing-commits] r47154 - data/CVE
Antoine Beaupré
anarcat at moszumanska.debian.org
Fri Dec 16 22:15:04 UTC 2016
Author: anarcat
Date: 2016-12-16 22:15:04 +0000 (Fri, 16 Dec 2016)
New Revision: 47154
Modified:
data/CVE/list
Log:
Summary: clarify nagios' vulnerabilities after my tests
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-12-16 21:53:53 UTC (rev 47153)
+++ data/CVE/list 2016-12-16 22:15:04 UTC (rev 47154)
@@ -8032,6 +8032,7 @@
- nagios3 <removed>
NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4
NOTE: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
+ NOTE: nagios < 3.5 is not vulnerable through the regular logfile, but through the debug logfile
CVE-2016-9565 [Curl Command Injection]
RESERVED
- nagios3 3.5.1-1
@@ -8039,6 +8040,7 @@
NOTE: The RSS feed and call-home was removed in src:nagios3 3.5.1-1 where the affected
NOTE: function was removed.
NOTE: The scope of the CVE is specific to Nagios.
+ NOTE: impact lessened by the hardened permissions in Debian: files can be extracted, but no backdoor can be installed as the web root is not writable
CVE-2016-9564 (Buffer overflow in send_redirect() in Boa Webserver 0.92r allows ...)
- boa <not-affected> (the vuln was removed in 0.93.14)
NOTE: http://www.ljcusack.io/cve-2016-9564-stack-based-buffer-overflow-in-boa-0-dot-92r
More information about the Secure-testing-commits
mailing list