[Pkg-nagios-devel] Fixing CVE-2016-9566 in Icinga & Nagios

Markus Frosch lazyfrosch at debian.org
Sat Dec 24 14:01:19 UTC 2016

On 23.12.2016 10:54, Sebastiaan Couwenberg wrote:
> On 12/23/2016 10:46 AM, Alexander Wirt wrote:
>> > On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:
>> > 
>>> >> On 12/23/2016 10:32 AM, Alexander Wirt wrote:
>>>> >>> On Fri, 23 Dec 2016, Sebastiaan Couwenberg wrote:
>>>>> >>>> Icinga upstream has released bugfix releases for the various Icinga 1.x
>>>>> >>>> branches fixing CVE-2016-9566. [0]
>>>>> >>>>
>>>>> >>>> I've updated the package to 1.13.4 for unstable, although we can
>>>>> >>>> consider updating to 1.14.0 too. 1.13.4 was the least invasive choice
>>>>> >>>> since it only contains the fix for CVE-2016-9566.
>>>> >>>
>>>> >>> Didn't I asked you NOT to touch icinga? 
>>>> >>>
>>>> >>> We - Markus and I - are part of upstream and will handle those things on our
>>>> >>> own. 
>>>> >>>
>>>> >>> I am a little bit annoyed that you touched icinga.
>>> >>
>>> >> Fine, I'll never touch icina again.
>>> >>
>>> >> Very disappointing.
>> >
>> > I asked you friendly in advance to talk to use before touching the package
>> > and you refused that wish. What do you expect? 
> People being glad to get help.
> The fact that the LTS team fixed the CVE before the maintainers is not
> encouraging.
> The packages maintained by the Nagios team are not in great shape, which
> I suspected was caused by the maintainers being too busy with real life
> to deal with the packages.
> Now I'm starting to think your attitude is scaring away contributors.

You are welcome any time to help, to suggest, and to upload, but start a conversation with us,
discuss changes, and not push them to unstable. You are doing a monologue, and that is
discouraging for us.

I had a look on the CVE myself, and *I* actually ported the patch to Icinga, and tested it.
So it would be nice, that you at least would ask me about my opinion.

If you ever see us not answering on a mail on the list, or tracker (because we have other
stuff to do occasionally), just drop a private mail.

Markus Frosch
markus at lazyfrosch.de / lazyfrosch at debian.org

More information about the Pkg-nagios-devel mailing list