[Pkg-nagios-devel] Bug#697931: Bug#697931: icinga: CVE-2012-6096

Michael Friedrich michael.friedrich at gmail.com
Sun Jan 13 23:04:47 UTC 2013

On 12.01.2013 18:14, Alexander Wirt wrote:
> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
>> Package: icinga
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>> This was assigned CVE-2012-6096:
>> http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
>> Fix:
>> http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> As it currently seems this fix is incomplete. The severity of the problem
> isn't hat high, so I want to wait until the icinga team has an official
> patch.

Thanks to Markus Frosch who did the initial review of the Nagios patch 
by Eric Stanley, I've now uploaded 1.6.2, 1.7.4 and 1.8.4 to 
sourceforge. In regard of the CVE, this is considered to be fixed by 
these releases.
For Icinga in currently frozen Wheezy you'll likely need this patch - 
i've tested it against 1.7.1 which is the source here.

commit fc05df71d707c2692d07d4324c9061aad8f68ecf
Author: Michael Friedrich <michael.friedrich at netways.de>
Date:   Sun Jan 13 22:10:10 2013 +0100

     possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

     refs #3532



Just a final note on the duplicated cve bug for both nagios and icinga - 
it would be nice to have the cve reproduced for both in the first place, 
before remarking bugs on the icinga code which have not been verified 
completely, neither by the reporter nor by icinga dev team itsself. A 
bug report upstream would have been nice as well, this has been now done 
with https://dev.icinga.org/issues/3532

Kind regards,

DI (FH) Michael Friedrich

mail:     michael.friedrich at gmail.com
twitter:  https://twitter.com/dnsmichi
jabber:   dnsmichi at jabber.ccc.de
irc:      irc.freenode.net/icinga dnsmichi

icinga open source monitoring
position: lead core developer
url:      https://www.icinga.org

More information about the Pkg-nagios-devel mailing list