[Pkg-nagios-devel] Fixing CVE-2016-9566 in Icinga & Nagios

Sebastiaan Couwenberg sebastic at xs4all.nl
Fri Dec 23 09:17:34 UTC 2016

Hi all,

Icinga upstream has released bugfix releases for the various Icinga 1.x
branches fixing CVE-2016-9566. [0]

I've updated the package to 1.13.4 for unstable, although we can
consider updating to 1.14.0 too. 1.13.4 was the least invasive choice
since it only contains the fix for CVE-2016-9566.

That still leaves icinga 1.11.6-1 in jessie and 1.7.1-7 in wheezy to fix.

The LTS team has already fixed nagios3 for wheezy, which leaves
3.5.1.dfsg-2 in jessie and 3.5.1.dfsg-2.2 in stretch affected.

nagios3 3.5.1.dfsg-2.2 should really be removed from testing, but some
reverse dependencies (nagios2mantis specifically) are still preventing
that. [1][2]

I can prepare security updates for the icinga packages in jessie &
wheezy, as well as the nagios3 packages unless others want to help out
to spread the work.

[0] https://security-tracker.debian.org/tracker/CVE-2016-9566
[2] https://release.debian.org/britney/update_output.txt

Kind Regards,


 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

More information about the Pkg-nagios-devel mailing list