[Pkg-nagios-devel] Bug#697931: Bug#697931: icinga: CVE-2012-6096
Michael Friedrich
michael.friedrich at gmail.com
Sun Jan 13 23:04:47 UTC 2013
On 12.01.2013 18:14, Alexander Wirt wrote:
> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
>
>> Package: icinga
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> This was assigned CVE-2012-6096:
>> http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
>>
>> Fix:
>> http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> As it currently seems this fix is incomplete. The severity of the problem
> isn't hat high, so I want to wait until the icinga team has an official
> patch.
Thanks to Markus Frosch who did the initial review of the Nagios patch
by Eric Stanley, I've now uploaded 1.6.2, 1.7.4 and 1.8.4 to
sourceforge. In regard of the CVE, this is considered to be fixed by
these releases.
For Icinga in currently frozen Wheezy you'll likely need this patch -
i've tested it against 1.7.1 which is the source here.
commit fc05df71d707c2692d07d4324c9061aad8f68ecf
Author: Michael Friedrich <michael.friedrich at netways.de>
Date: Sun Jan 13 22:10:10 2013 +0100
possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes
refs #3532
Conflicts:
cgi/cgiutils.c
cgi/status.c
https://git.icinga.org/?p=icinga-core.git;a=commit;h=46f55574afa934f9e0bce5e9aac7f45530ff0058
Just a final note on the duplicated cve bug for both nagios and icinga -
it would be nice to have the cve reproduced for both in the first place,
before remarking bugs on the icinga code which have not been verified
completely, neither by the reporter nor by icinga dev team itsself. A
bug report upstream would have been nice as well, this has been now done
with https://dev.icinga.org/issues/3532
Kind regards,
Michael
--
DI (FH) Michael Friedrich
mail: michael.friedrich at gmail.com
twitter: https://twitter.com/dnsmichi
jabber: dnsmichi at jabber.ccc.de
irc: irc.freenode.net/icinga dnsmichi
icinga open source monitoring
position: lead core developer
url: https://www.icinga.org
More information about the Pkg-nagios-devel
mailing list