[pkg-nagios-changes] [Git][nagios-team/pkg-nagvis][master] 4 commits: New upstream version 1.9.29
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Sat Dec 11 16:33:44 GMT 2021
Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / pkg-nagvis
Commits:
3986967c by Bas Couwenberg at 2021-12-11T17:27:01+01:00
New upstream version 1.9.29
- - - - -
e9cd83e4 by Bas Couwenberg at 2021-12-11T17:27:09+01:00
Update upstream source from tag 'upstream/1.9.29'
Update to upstream version '1.9.29'
with Debian dir ed8a1d6af549d752d6f6d3cad9c4685dd2890ff7
- - - - -
ef986596 by Bas Couwenberg at 2021-12-11T17:28:19+01:00
New upstream release.
Fixes CVE-2021-33178.
- - - - -
3c878a4b by Bas Couwenberg at 2021-12-11T17:29:19+01:00
Set distribution to unstable.
- - - - -
4 changed files:
- ChangeLog
- debian/changelog
- share/server/core/classes/ViewManageBackgrounds.php
- share/server/core/defines/global.php
Changes:
=====================================
ChangeLog
=====================================
@@ -1,3 +1,13 @@
+1.9.29
+Security:
+ * FIX: Fix possible deletion of arbitrary files (CVE-2021-33178)
+ An authenticated user with enough permissions to access the NagVis
+ ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the
+ server limited by the rights of the Apache system user. In OMD environments,
+ such as Checkmk, this is limited to files owned by the site user. In other
+ environments this may affect all files that are writable by the web server
+ user.
+
1.9.28
Frontend
* Add support for svg image based icon sets (#298 Thanks to itsul)
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+nagvis (1:1.9.29-1) unstable; urgency=high
+
+ * Team upload.
+ * New upstream release.
+ - Fixes CVE-2021-33178.
+
+ -- Bas Couwenberg <sebastic at debian.org> Sat, 11 Dec 2021 17:28:26 +0100
+
nagvis (1:1.9.28-1) unstable; urgency=medium
* Team upload.
=====================================
share/server/core/classes/ViewManageBackgrounds.php
=====================================
@@ -92,7 +92,7 @@ class ViewManageBackgrounds {
if (!$name)
throw new FieldInputError('name', l('Please choose a background'));
- if (count($CORE->getAvailableBackgroundImages('/^'.preg_quote($name).'$/')) == 0)
+ if (!in_array($name, $CORE->getAvailableBackgroundImages()))
throw new FieldInputError('name', l('The background does not exist.'));
// Check whether or not the backgroun is in use
=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
*****************************************************************************/
// NagVis Version
-define('CONST_VERSION', '1.9.28');
+define('CONST_VERSION', '1.9.29');
// Set PHP error handling to standard level
// Different levels for php versions below 5.1 because PHP 5.1 reports
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/compare/15ab4bd0470b58725ba4e8f2d23c57a616f859d8...3c878a4bc64c89a866c779a1eddf5c2a13251f8d
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/compare/15ab4bd0470b58725ba4e8f2d23c57a616f859d8...3c878a4bc64c89a866c779a1eddf5c2a13251f8d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20211211/763b2137/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list