[Pkg-nagios-devel] pu: package nagios3/3.4.1-3+deb7u1

Jonas Meurer jonas at freesources.org
Fri Nov 1 14:45:45 UTC 2013 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: pu

Hello,

the nagios3 package in wheezy suffers from at least one minor security
bug and a regression. I prepared nagios3/3.4.1+deb7u1 for wheezy
proposed-updates in order to fix both of them.

Additionally two non-intrusive fixes in the initscript are included: a
typo and another regression.

I consider the fixes for #680615 and #714171 as pretty important. Thus I
suggest to push the pu to wheezy-updates.

So do you agree to upload the prepared packages to pu? And furthermore,
do you agree to push it to wheezy-updates as well?

Below's the changelog, please find the full debdiff attached.

nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low

  * Backport the following changes to wheezy:
  * [cd50049] Add missing check command in initscript (Closes: #680615)
  * [77c9d0e] Fix typo in initscript
  * [a2c78a1] Stop status.cgi from listing unauthorized hosts and
services in servicegroup view (CVE-2013-2214)
    Thanks to Jonas Meurer for the report and the patch (Closes: #714171)
  * [51fb59b] Backport upstream r1953 to fix downtime retention across
restarts.
    Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356)

 -- Jonas Meurer <mejo at debian.org>  Fri, 01 Nov 2013 14:32:18 +0100


Kind regards,
 jonas

-------------- next part --------------
diff -u nagios3-3.4.1/debian/changelog nagios3-3.4.1/debian/changelog
--- nagios3-3.4.1/debian/changelog
+++ nagios3-3.4.1/debian/changelog
@@ -1,3 +1,15 @@
+nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low
+
+  * Backport the following changes to wheezy:
+  * [cd50049] Add missing check command in initscript (Closes: #680615)
+  * [77c9d0e] Fix typo in initscript
+  * [a2c78a1] Stop status.cgi from listing unauthorized hosts and services in servicegroup view (CVE-2013-2214)
+    Thanks to Jonas Meurer for the report and the patch (Closes: #714171)
+  * [51fb59b] Backport upstream r1953 to fix downtime retention across restarts.
+    Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356)
+
+ -- Jonas Meurer <mejo at debian.org>  Fri, 01 Nov 2013 14:32:18 +0100
+
 nagios3 (3.4.1-3) unstable; urgency=low
 
   * Fix several overflows in getcgi.cgi and history.cgi
diff -u nagios3-3.4.1/debian/nagios3-common.nagios3.init nagios3-3.4.1/debian/nagios3-common.nagios3.init
--- nagios3-3.4.1/debian/nagios3-common.nagios3.init
+++ nagios3-3.4.1/debian/nagios3-common.nagios3.init
@@ -126,7 +126,7 @@
 start () {
 
   if [ "$ENABLED" = "no"  ]; then
-	  log_warning_msg "Not starting Nagios3 - set ENABLED to yes in /etc/defrault/nagios3"
+	  log_warning_msg "Not starting Nagios3 - set ENABLED to yes in /etc/default/nagios3"
 	  exit 0
   fi
 
@@ -212,6 +212,10 @@
  fi
 }
 
+check() {
+    $DAEMON -v $NAGIOSCFG
+}
+
 case "$1" in
   start)
     log_daemon_msg "Starting $DESC" "$NAME"
diff -u nagios3-3.4.1/debian/patches/00list nagios3-3.4.1/debian/patches/00list
--- nagios3-3.4.1/debian/patches/00list
+++ nagios3-3.4.1/debian/patches/00list
@@ -11,0 +12,2 @@
+99_security_status_cgi_servicegroup.dpatch
+999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
only in patch2:
unchanged:
--- nagios3-3.4.1.orig/debian/patches/99_security_status_cgi_servicegroup.dpatch
+++ nagios3-3.4.1/debian/patches/99_security_status_cgi_servicegroup.dpatch
@@ -0,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer <jmeurer at inet.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Stop cgi-bin/status.c from listing unauthorized hosts and
+## DP:				services in servicegroup view
+## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.4.1~/cgi/status.c nagios3-3.4.1/cgi/status.c
+--- nagios3-3.4.1~/cgi/status.c	2012-02-13 21:40:42.000000000 +0100
++++ nagios3-3.4.1/cgi/status.c	2013-06-26 16:52:37.668132234 +0200
+@@ -2534,6 +2534,10 @@
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* skip this if it isn't a new host... */
+ 		if(temp_host == last_host)
+ 			continue;
+@@ -2739,6 +2743,10 @@
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* skip this if it isn't a new host... */
+ 		if(temp_host == last_host)
+ 			continue;
+@@ -2918,6 +2926,10 @@
+ 		if(temp_service == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this service */
++		if(is_authorized_for_service(temp_service, &current_authdata) == FALSE)
++			continue;
++
+ 		/* find the service status */
+ 		temp_servicestatus = find_servicestatus(temp_service->host_name, temp_service->description);
+ 		if(temp_servicestatus == NULL)
+@@ -3270,6 +3282,10 @@
+ 		if(temp_host == NULL)
+ 			continue;
+ 
++		/* make sure user has rights to view this host */
++		if(is_authorized_for_host(temp_host, &current_authdata) == FALSE)
++			continue;
++
+ 		/* get the status of the host */
+ 		temp_hoststatus = find_hoststatus(temp_host->name);
+ 		if(temp_hoststatus == NULL)
only in patch2:
unchanged:
--- nagios3-3.4.1.orig/debian/patches/999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
+++ nagios3-3.4.1/debian/patches/999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
@@ -0,0 +1,74 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## daemon downtime: Handle loading effective downtime from retention
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: From 9f18395268dda948265722984097735d48d72197 Mon Sep 17 00:00:00 2001
+## DP: From: Andreas Ericsson <ae at op5.se>
+## DP: Date: Wed, 6 Jun 2012 09:38:06 +0000
+## DP: Subject: [PATCH] daemon downtime: Handle loading effective downtime from
+## DP:  retention
+## DP: 
+## DP: Without this patch, Nagios would forget about downtime that starts
+## DP: before the core is stopped and ends after the core is restarted.
+## DP: 
+## DP: According to testers, the original problem with notifications being
+## DP: re-sent does not crop up again when this patch is applied.
+## DP: 
+## DP: Tested-by: Mark Elsen <mark.elsen at gmail.com>
+## DP: Tested-by: Phil Randal <phil.randal at hoopleltd.co.uk>
+## DP: Patched-by: Carlos Velasco <carlos.velasco at nimastelecom.com>
+## DP: Signed-off-by: Andreas Ericsson <ae at op5.se>
+## DP: 
+## DP: git-svn-id: https://nagios.svn.sourceforge.net/svnroot/nagios/nagioscore/trunk@1953 5f96b256-904b-4d8d-8c98-d829582c6739
+## DP: ---
+## DP:  THANKS            |  1 +
+## DP:  common/downtime.c | 31 +++++++++++++++++++++++++++----
+## DP:  2 files changed, 28 insertions(+), 4 deletions(-)
+
+ at DPATCH@
+diff --git a/common/downtime.c b/common/downtime.c
+index 09a0333..0193c50 100644
+--- a/common/downtime.c
++++ b/common/downtime.c
+@@ -401,11 +401,34 @@ int handle_scheduled_downtime(scheduled_downtime *temp_downtime) {
+ 		}
+ 
+ 	/* if downtime handler gets triggerd in between then there seems to be a restart */
+-	/* Don't do anything just return */
+-	time( &current_time);
+-	if( temp_downtime->start_time < current_time && current_time < temp_downtime->end_time && temp_downtime->is_in_effect == TRUE)
+-		return OK;
++	time(&current_time);
++	if(temp_downtime->start_time < current_time && current_time < temp_downtime->end_time && temp_downtime->is_in_effect == TRUE) {
++#ifdef USE_EVENT_BROKER
++		/* send data to event broker */
++		broker_downtime_data(NEBTYPE_DOWNTIME_START, NEBFLAG_NONE, NEBATTR_NONE, temp_downtime->type, temp_downtime->host_name, temp_downtime->service_description, temp_downtime->entry_time, temp_downtime->author, temp_downtime->comment, temp_downtime->start_time, temp_downtime->end_time, temp_downtime->fixed, temp_downtime->triggered_by, temp_downtime->duration, temp_downtime->downtime_id, NULL);
++#endif
++
++		/* increment the downtime depth variable */
++		if(temp_downtime->type == HOST_DOWNTIME) {
++			hst->scheduled_downtime_depth++;
++			update_host_status(hst, FALSE);
++			}
++		else {
++			svc->scheduled_downtime_depth++;
++			update_service_status(svc, FALSE);
++			}
+ 
++		/* schedule an event */
++		if(temp_downtime->fixed == FALSE)
++			event_time = (time_t)((unsigned long)time(NULL) + temp_downtime->duration);
++		else
++			event_time = temp_downtime->end_time;
++		if((new_downtime_id = (unsigned long *)malloc(sizeof(unsigned long)))) {
++			*new_downtime_id = temp_downtime->downtime_id;
++			schedule_new_event(EVENT_SCHEDULED_DOWNTIME, TRUE, event_time, FALSE, 0, NULL, FALSE, (void *)new_downtime_id, NULL, 0);
++			}
++		return OK;
++		}
+ 
+ 	/* have we come to the end of the scheduled downtime? */
+ 	if(temp_downtime->is_in_effect == TRUE) {
+-- 
+1.8.2
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20131101/c4c52b3a/attachment.sig>

More information about the Pkg-nagios-devel mailing list