[pkg-nagios-changes] [Git][nagios-team/nagvis][master] 7 commits: Update branch in gbp.conf & Vcs-Git URL.

Wed May 28 04:36:48 BST 2025


Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / nagvis


Commits:
d6a6d395 by Bas Couwenberg at 2025-05-23T15:08:39+02:00
Update branch in gbp.conf & Vcs-Git URL.

- - - - -
d0378701 by Bas Couwenberg at 2025-05-23T15:09:07+02:00
New upstream version 1.9.47
- - - - -
5da81df8 by Bas Couwenberg at 2025-05-23T15:09:12+02:00
Update upstream source from tag 'upstream/1.9.47'

Update to upstream version '1.9.47'
with Debian dir 3fe15ca93c14440e48a29b4ad4ed4fb62af7de9c
- - - - -
c6705c3d by Bas Couwenberg at 2025-05-23T15:09:29+02:00
New upstream release.

- - - - -
17c2799b by Bas Couwenberg at 2025-05-23T15:10:45+02:00
Set distribution to experimental.

- - - - -
5f754ac9 by Bas Couwenberg at 2025-05-28T05:33:24+02:00
Revert "Update branch in gbp.conf & Vcs-Git URL."

This reverts commit d6a6d395fdb5452cefab6a904eb83c9d141f455c.

- - - - -
cef121d0 by Bas Couwenberg at 2025-05-28T05:34:39+02:00
Move from experimental to unstable.

- - - - -


9 changed files:

- ChangeLog
- debian/changelog
- share/server/core/classes/CoreAuthorisationHandler.php
- share/server/core/classes/GlobalMapCfg.php
- share/server/core/classes/ViewMapAddModify.php
- share/server/core/defines/global.php
- share/server/core/functions/html.php
- share/server/core/functions/nagvisErrorHandler.php
- share/server/core/sources/dynmap.php


Changes:

=====================================
ChangeLog
=====================================
@@ -1,3 +1,10 @@
+1.9.47
+  * FIX: Don't show complete backtrace if crashing. Now the backtrace is being logged to the apache error log
+  * FIX: Fix potential XSS via WYSIWYG editor. Now the option to edit these such elements is moved to a specific
+   permission and only administrators can use this editor per default. (CVE-2024-47090)
+  * FIX: Fix possible livestatus injection via dynmaps (CVE-2024-38866) (#398 Thanks to Shortfinga)
+   (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L)
+
 1.9.46
   * Feature: add option to verify session cookie via curl. Before when having allow_url_fopen
     disabled, NagVis was not able to verify the session cookie. Now you can use curl to verify


=====================================
debian/changelog
=====================================
@@ -1,9 +1,18 @@
-nagvis (1:1.9.46-2) UNRELEASED; urgency=medium
+nagvis (1:1.9.47-1) unstable; urgency=medium
 
   * Team upload.
+  * Move from experimental to unstable.
+
+ -- Bas Couwenberg <sebastic at debian.org>  Wed, 28 May 2025 05:34:26 +0200
+
+nagvis (1:1.9.47-1~exp1) experimental; urgency=medium
+
+  * Team upload.
+  * New upstream release.
+    Fixes: CVE-2024-38866 & CVE-2024-47090.
   * Add Catalan debconf translation by Carles Pina i Estany.
 
- -- Bas Couwenberg <sebastic at debian.org>  Sun, 06 Apr 2025 09:17:12 +0200
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 23 May 2025 15:10:32 +0200
 
 nagvis (1:1.9.46-1) unstable; urgency=medium
 


=====================================
share/server/core/classes/CoreAuthorisationHandler.php
=====================================
@@ -53,6 +53,7 @@ class CoreAuthorisationHandler {
             'createObject' => 'edit',
             'deleteObject' => 'edit',
             'addModify' => 'edit',
+            'editHtml' => 'edit',
         ),
         'Overview' => Array(
             'getOverviewRotations' => 'view',


=====================================
share/server/core/classes/GlobalMapCfg.php
=====================================
@@ -800,7 +800,7 @@ class GlobalMapCfg {
         if(isset($params['source_file']))
             unset($params['source_file']);
         $param_values = $this->paramsToString($params);
-        $cacheFile = cfg('paths','var').'source-'.$this->name.'.cfg-'.$param_values.'-'.$this->isView.'-'.CONST_VERSION.'.cache';
+        $cacheFile = cfg('paths','var').'source-'.$this->name.'.cfg-'.sha1($param_values.'-'.$this->isView.'-'.CONST_VERSION).'.cache';
         $CACHE = new GlobalFileCache(array(), $cacheFile);
 
         // 2a. Check if the cache file exists


=====================================
share/server/core/classes/ViewMapAddModify.php
=====================================
@@ -116,6 +116,11 @@ class ViewMapAddModify {
         $perm_user   = get_checkbox('perm_user');
         $show_dialog = false;
 
+        global $AUTHORISATION;
+        if(!$AUTHORISATION->isPermitted('Map', 'editHtml', '*')) {
+            throw new NagVisException(l('Cannot edit HTML. Please contact your administrator'));
+        }
+
         // Modification/Creation?
         // The object_id is known on modification. When it is not known 'type' is set
         // to create new objects


=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
  *****************************************************************************/
  
 // NagVis Version
-define('CONST_VERSION', '1.9.46');
+define('CONST_VERSION', '1.9.47');
 
 // Set PHP error handling to standard level
 // Different levels for php versions below 5.1 because PHP 5.1 reports


=====================================
share/server/core/functions/html.php
=====================================
@@ -271,6 +271,11 @@ function textarea($name, $default = '', $class = '', $style = '') {
     if (submitted($form_name))
         $default = post($name, $default);
 
+    global $AUTHORISATION;
+    if(!$AUTHORISATION->isPermitted('Map', 'editHtml', '*')) {
+        echo '<b>Cannot edit HTML. Please contact your administrator.</b>';
+        return;
+    }
     // plain <textarea>
     echo '<textarea id="textarea_'.$name.'" name="'.$name.'"'.$class.$style.'>'.escape_html($default).'</textarea>'.N;
 


=====================================
share/server/core/functions/nagvisErrorHandler.php
=====================================
@@ -37,7 +37,9 @@ function nagvisException($OBJ) {
             echo $OBJ;
         } else {
             echo "Error (".get_class($OBJ)."): ".$OBJ->getMessage();
-            var_dump(debug_backtrace());
+            echo "<br>";
+            echo "For more information check the apache error log.";
+            error_log(print_r(debug_backtrace(), true));
         }
 
         die();


=====================================
share/server/core/sources/dynmap.php
=====================================
@@ -7,7 +7,7 @@ function dynmap_get_objects($MAPCFG, $p) {
     $objects = array();
 
     $type = $p['dynmap_object_types'];
-    $filter = str_replace('\n', "\n", $p['dynmap_object_filter']);
+    $filter = preg_replace('/(\\\\n)+/', "\n", $p['dynmap_object_filter']);
     foreach($MAPCFG->getValue(0, 'backend_id') AS $backend_id) {
         $ret = $_BACKEND->getBackend($backend_id)->getObjects($type, '', '', $filter);
         // only use the internal names



View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/compare/56e9db280e21522cec8305358fb04e439dfb1b84...cef121d0ec3fdbb919196920de3518c6e984076f

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/compare/56e9db280e21522cec8305358fb04e439dfb1b84...cef121d0ec3fdbb919196920de3518c6e984076f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20250528/a9e1f708/attachment-0001.htm>
