[Pkg-nagios-devel] Bug#742689: check-mk: more CVE info
Matt Taggart
taggart at debian.org
Fri Jan 9 20:09:46 UTC 2015
I am looking at the CVEs in #742689.
The URL listed
http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt
lists 7 problems, but claims that upstream 1.2.2p3 (in sid) fixed 5
of them. The remaining 2 are:
5) Missing CSRF (Cross-Site Request Forgery) token allows execution
of arbitrary commands (CVE-2014-2330)
6) Multiple use of exec-like function calls which allow arbitrary
commands (CVE-2014-2331)
These CVE numbers appear to be reserved, but I can't find any details
other than the brief mention in
http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt
Most of the links on
https://security-tracker.debian.org/tracker/CVE-2014-2330
https://security-tracker.debian.org/tracker/CVE-2014-2331
don't give any info, the RedHat link is for the full set of things and
it's not clear to me if they fixed these explicitly. Maybe the brief
descriptions on the packetstormsecurity will be enough for someone
on the security team to determine if there is anything to be done.
Thanks,
--
Matt Taggart
taggart at debian.org
More information about the Pkg-nagios-devel
mailing list