[Pkg-nagios-devel] Bug#865497: CVE-2017-9781 not yet fixed in 1.2.8p26-1?
taggart at debian.org
Fri Oct 6 22:43:38 UTC 2017
On 10/06/2017 02:28 PM, Salvatore Bonaccorso wrote:
> Control: notfixed -1 1.2.8p26-1
> On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote:
>> This is an automatic notification regarding your Bug report
>> which was filed against the src:check-mk package:
>> #865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py
> I looked up the source for 1.2.8p26-1.
> The fix for CVE-2017-9781 is
> which does not yet seem to be applied to 1.2.8p26-1?
> Can you please double-check?
> Note, there is a second CVE now for check-mk, that one got addressed
> in 1.2.8p26, but it's not clear yet in which version in was
You are right, the fix for CVE-2017-9781, which upstream calls "werk
#4757" is _not_ in 1.2.8p26. I was confused with upstream #5208 when I
wrote the changelog that closed the bug.
Upstream lists the following security related fixes for 1.2.8
#7661 (fixed in 1.4.0p8, supposedly fixed in 1.2.8p25?)
#3970 (fixed in 1.2.8p14)
#3855 (fixed in 1.2.8p11)
#3743 (fixed in 1.2.8p10)
Full list of changes for 1.2.8p26
Full list of changes for 1.4.0p14
which additionally lists
#4757 (as you mentioned above, fixed in 1.4.0p6)
#7643 (only in 1.4 and newer)
So I think the Debian 1.2.8p16 package is only missing #4757.
I will ask upstream if they intend to fix #4757 in the 1.2.8 series.
Unfortunately due to how the upstream tarball/build works, it is tricky
to patch upstream files. If upstream doesn't intend to include this fix
I can generate a patch to make it work.
I had started working on packaging 1.4.0 as a way to fix these security
bugs (and even did an upload to experimental) but I recently learned
from upstream that:
"The use of Check_MK without OMD environment and customization of paths
is explicitly not supported anymore."
ie you can't use check-mk stand-alone, you have to use OMD (and
livestatus/WATO/multisite, the whole stack) and you have to use
upstream's installer to upstream's paths. It's very much the "network
appliance" model (or flatpak, docker image, etc)
I don't know if we'll be able to make this work in Debian. (not to
mention that nagios is gone and icinga1 will go away at some point)
That prompted me to go back to 1.2.8 and package the latest release
there in order to at least have something working without the security bugs.
taggart at debian.org
More information about the Pkg-nagios-devel