[Pkg-nagios-devel] Fixing CVE-2016-9566 in Icinga & Nagios

Alexander Wirt formorer at formorer.de
Fri Dec 23 10:03:18 UTC 2016


On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:

> On 12/23/2016 10:46 AM, Alexander Wirt wrote:
> > On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:
> > 
> >> On 12/23/2016 10:32 AM, Alexander Wirt wrote:
> >>> On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:
> >>>> Icinga upstream has released bugfix releases for the various Icinga 1.x
> >>>> branches fixing CVE-2016-9566. [0]
> >>>>
> >>>> I've updated the package to 1.13.4 for unstable, although we can
> >>>> consider updating to 1.14.0 too. 1.13.4 was the least invasive choice
> >>>> since it only contains the fix for CVE-2016-9566.
> >>>
> >>> Didn't I asked you NOT to touch icinga? 
> >>>
> >>> We - Markus and I - are part of upstream and will handle those things on our
> >>> own. 
> >>>
> >>> I am a little bit annoyed that you touched icinga.
> >>
> >> Fine, I'll never touch icina again.
> >>
> >> Very disappointing.
> >
> > I asked you friendly in advance to talk to use before touching the package
> > and you refused that wish. What do you expect? 
> 
> People being glad to get help.
I do really, really appreciate your work and it is really needed for most of
the pkg-nagios packages.

> The fact that the LTS team fixed the CVE before the maintainers is not
> encouraging.
The bug is far from being critical and the security team decided that this is
not critical and does not warrant a DSA. Therefore we decided to release a
new upstream version first and I scheduled an upload for today. Yesterday I
was busy in celebrating my birthday. Under normal circumstances, new versions
get uploaded the same they get released. 

> The packages maintained by the Nagios team are not in great shape, which
> I suspected was caused by the maintainers being too busy with real life
> to deal with the packages.
As you may saw we usually take a lot care on icinga. But you are right,
several of the packages need work. 

> Now I'm starting to think your attitude is scaring away contributors.
I asked you friendly to ask before touching icinga. I don't think this such a
friendly request does scare away contributors. In fact it prevents doubled
work. 

Alex




More information about the Pkg-nagios-devel mailing list