[Pkg-nagios-devel] Fixing CVE-2016-9566 in Icinga & Nagios
formorer at formorer.de
Fri Dec 23 10:03:18 UTC 2016
On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:
> On 12/23/2016 10:46 AM, Alexander Wirt wrote:
> > On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:
> >> On 12/23/2016 10:32 AM, Alexander Wirt wrote:
> >>> On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:
> >>>> Icinga upstream has released bugfix releases for the various Icinga 1.x
> >>>> branches fixing CVE-2016-9566. 
> >>>> I've updated the package to 1.13.4 for unstable, although we can
> >>>> consider updating to 1.14.0 too. 1.13.4 was the least invasive choice
> >>>> since it only contains the fix for CVE-2016-9566.
> >>> Didn't I asked you NOT to touch icinga?
> >>> We - Markus and I - are part of upstream and will handle those things on our
> >>> own.
> >>> I am a little bit annoyed that you touched icinga.
> >> Fine, I'll never touch icina again.
> >> Very disappointing.
> > I asked you friendly in advance to talk to use before touching the package
> > and you refused that wish. What do you expect?
> People being glad to get help.
I do really, really appreciate your work and it is really needed for most of
the pkg-nagios packages.
> The fact that the LTS team fixed the CVE before the maintainers is not
The bug is far from being critical and the security team decided that this is
not critical and does not warrant a DSA. Therefore we decided to release a
new upstream version first and I scheduled an upload for today. Yesterday I
was busy in celebrating my birthday. Under normal circumstances, new versions
get uploaded the same they get released.
> The packages maintained by the Nagios team are not in great shape, which
> I suspected was caused by the maintainers being too busy with real life
> to deal with the packages.
As you may saw we usually take a lot care on icinga. But you are right,
several of the packages need work.
> Now I'm starting to think your attitude is scaring away contributors.
I asked you friendly to ask before touching icinga. I don't think this such a
friendly request does scare away contributors. In fact it prevents doubled
More information about the Pkg-nagios-devel