[pkg-nagios-changes] [Git][nagios-team/pkg-nagvis][upstream] New upstream version 1.9.29

Bas Couwenberg (@sebastic) gitlab at salsa.debian.org
Sat Dec 11 16:33:47 GMT 2021 


Bas Couwenberg pushed to branch upstream at Debian Nagios Maintainer Group / pkg-nagvis


Commits:
3986967c by Bas Couwenberg at 2021-12-11T17:27:01+01:00
New upstream version 1.9.29
- - - - -


3 changed files:

- ChangeLog
- share/server/core/classes/ViewManageBackgrounds.php
- share/server/core/defines/global.php


Changes:

=====================================
ChangeLog
=====================================
@@ -1,3 +1,13 @@
+1.9.29
+Security:
+  * FIX: Fix possible deletion of arbitrary files (CVE-2021-33178)
+  An authenticated user with enough permissions to access the NagVis
+  ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the
+  server limited by the rights of the Apache system user. In OMD environments,
+  such as Checkmk, this is limited to files owned by the site user. In other
+  environments this may affect all files that are writable by the web server
+  user.
+
 1.9.28
 Frontend
   * Add support for svg image based icon sets (#298 Thanks to itsul)


=====================================
share/server/core/classes/ViewManageBackgrounds.php
=====================================
@@ -92,7 +92,7 @@ class ViewManageBackgrounds {
                 if (!$name)
                     throw new FieldInputError('name', l('Please choose a background'));
 
-                if (count($CORE->getAvailableBackgroundImages('/^'.preg_quote($name).'$/')) == 0)
+                if (!in_array($name, $CORE->getAvailableBackgroundImages()))
                     throw new FieldInputError('name', l('The background does not exist.'));
 
                 // Check whether or not the backgroun is in use


=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
  *****************************************************************************/
  
 // NagVis Version
-define('CONST_VERSION', '1.9.28');
+define('CONST_VERSION', '1.9.29');
 
 // Set PHP error handling to standard level
 // Different levels for php versions below 5.1 because PHP 5.1 reports



View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/commit/3986967c3d650f289c6a6608a219ed5a6f4e4772

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagvis/-/commit/3986967c3d650f289c6a6608a219ed5a6f4e4772
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20211211/73713212/attachment-0001.htm>

More information about the pkg-nagios-changes mailing list