Debian Bug report logs -
#629127
several XSS issues
Reported by: "Thijs Kinkhorst" <thijs@debian.org>
Date: Fri, 3 Jun 2011 18:15:01 UTC
Severity: serious
Tags: security
Found in version nagios3/3.2.3-1
Fixed in versions icinga/1.4.2-1, nagios3/3.2.3-3
Done: Alexander Wirt <formorer@formorer.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#629127
; Package nagios3
.
(Fri, 03 Jun 2011 18:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Fri, 03 Jun 2011 18:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nagios3
Severity: serious
Tags: security
Hi,
Two XSS issues have been reported for Nagios and Icinga:
CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
Can you please see to it that these are fixed in unstable and testing, and
determine whether an update for (old)stable is also necessary? Please
mention the CVE id's in any changelog entry.
Thanks,
Thijs
Bug 629127 cloned as bug 629131.
Request was from "Thijs Kinkhorst" <thijs@debian.org>
to control@bugs.debian.org
.
(Fri, 03 Jun 2011 18:30:01 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#629127
; Package nagios3
.
(Fri, 03 Jun 2011 20:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@formorer.de>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Fri, 03 Jun 2011 20:54:05 GMT) (full text, mbox, link).
Message #12 received at 629127@bugs.debian.org (full text, mbox, reply):
Thijs Kinkhorst schrieb am Friday, den 03. June 2011:
> Package: nagios3
> Severity: serious
> Tags: security
>
> Hi,
>
> Two XSS issues have been reported for Nagios and Icinga:
>
> CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
> CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
>
> Can you please see to it that these are fixed in unstable and testing, and
> determine whether an update for (old)stable is also necessary? Please
> mention the CVE id's in any changelog entry.
Sure, will do tomorrow.
Alex
Reply sent
to Alexander Wirt <formorer@debian.org>
:
You have taken responsibility.
(Sat, 04 Jun 2011 19:21:03 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Bug acknowledged by developer.
(Sat, 04 Jun 2011 19:21:03 GMT) (full text, mbox, link).
Message #17 received at 629127-close@bugs.debian.org (full text, mbox, reply):
Source: nagios3
Source-Version: 3.2.3-3
We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive:
nagios3-cgi_3.2.3-3_amd64.deb
to main/n/nagios3/nagios3-cgi_3.2.3-3_amd64.deb
nagios3-common_3.2.3-3_all.deb
to main/n/nagios3/nagios3-common_3.2.3-3_all.deb
nagios3-core_3.2.3-3_amd64.deb
to main/n/nagios3/nagios3-core_3.2.3-3_amd64.deb
nagios3-dbg_3.2.3-3_amd64.deb
to main/n/nagios3/nagios3-dbg_3.2.3-3_amd64.deb
nagios3-doc_3.2.3-3_all.deb
to main/n/nagios3/nagios3-doc_3.2.3-3_all.deb
nagios3_3.2.3-3.diff.gz
to main/n/nagios3/nagios3_3.2.3-3.diff.gz
nagios3_3.2.3-3.dsc
to main/n/nagios3/nagios3_3.2.3-3.dsc
nagios3_3.2.3-3_amd64.deb
to main/n/nagios3/nagios3_3.2.3-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 629127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 04 Jun 2011 20:22:20 +0200
Source: nagios3
Binary: nagios3-common nagios3-cgi nagios3 nagios3-core nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.2.3-3
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description:
nagios3 - A host/service/network monitoring and management system
nagios3-cgi - cgi files for nagios3
nagios3-common - support files for nagios3
nagios3-core - A host/service/network monitoring and management system core file
nagios3-dbg - debugging symbols and debug stuff for nagios3
nagios3-doc - documentation for nagios3
Closes: 629127
Changes:
nagios3 (3.2.3-3) unstable; urgency=high
.
* [9149473] Fix CVE-2011-2179: XSS via expand function in config.cgi (Closes: #629127).
* [b5f30e1] Fix for CVE-2011-1523: XSS problem in statusmap.cgi (Closes: #629127)
Checksums-Sha1:
f262c08b7aa0790666d7572daac022f6b5ae68a4 1498 nagios3_3.2.3-3.dsc
97155056932e5f342a58d2edb7755352626e705e 43401 nagios3_3.2.3-3.diff.gz
c2b9304fd5cecd23f9344e48ebc05576ba794761 1569988 nagios3-cgi_3.2.3-3_amd64.deb
0b5b7db147292c2b111bae669ed645492754c929 1432 nagios3_3.2.3-3_amd64.deb
d63d07ef1dcc2e80e886b2a31727636c812f3785 279634 nagios3-core_3.2.3-3_amd64.deb
bad600fe38efc7c91b56028927a826e6c4a20b42 3301310 nagios3-dbg_3.2.3-3_amd64.deb
89ad509e3595c23684add5ff36478454a2be47a2 80072 nagios3-common_3.2.3-3_all.deb
a696462d22c77f546c9d3d71caab11987ac76928 2002512 nagios3-doc_3.2.3-3_all.deb
Checksums-Sha256:
1ffeea67001aa31c524dc46a882a20887bd544d4515ddd669828e7eb016c92e9 1498 nagios3_3.2.3-3.dsc
012cc359a7dc933b87dc0ad27953ca475808ee53aed60a081bb1bf8505acd420 43401 nagios3_3.2.3-3.diff.gz
7f2e30c3ad30aa0e1af0c2fea93b34f40c3b7422494dbdb7bb22da1696239932 1569988 nagios3-cgi_3.2.3-3_amd64.deb
0eb74173dbb1065617d63d7cb343e043bfa971731dfaa71b9068913edef128bf 1432 nagios3_3.2.3-3_amd64.deb
e58fd54baed2f64af8e0475c6770c00a798db3de9fab811afefd9caab8471048 279634 nagios3-core_3.2.3-3_amd64.deb
28a591c585aa4981ac7604c1dd13093ab977efdc18113efc5cd195be6adcf297 3301310 nagios3-dbg_3.2.3-3_amd64.deb
2e7067f3385e4019601deeadc92914e510b5685b80b5cb9f63a51d9b7278afbb 80072 nagios3-common_3.2.3-3_all.deb
9a1f3dd7fd61743c60a6c785d291410b895272be2893e91e4bc00fcb39dd865e 2002512 nagios3-doc_3.2.3-3_all.deb
Files:
268d9f9febf7f644cfcf45a8bc5dd371 1498 net optional nagios3_3.2.3-3.dsc
f25e900c6a8a3dc949fd6dba3b677d67 43401 net optional nagios3_3.2.3-3.diff.gz
b48b745791414e50af549a70d1eddb53 1569988 net optional nagios3-cgi_3.2.3-3_amd64.deb
0d0e7fd269dbda68700ab0a079f342c3 1432 net optional nagios3_3.2.3-3_amd64.deb
02504807af37cc02d4fae287b9e4950f 279634 net optional nagios3-core_3.2.3-3_amd64.deb
957ce07165bc88441fac0f33267b3562 3301310 debug extra nagios3-dbg_3.2.3-3_amd64.deb
1541920ea701d6d25ba372b75450415d 80072 net optional nagios3-common_3.2.3-3_all.deb
d48834482909fb12257adf40c3212207 2002512 doc optional nagios3-doc_3.2.3-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3qgP8ACgkQ01u8mbx9AgrXsACgtQh5fV8qDWfHCmJR85taSyA9
ZbkAoMimPWPN93jOcd1W6hAlvezznJwl
=fcqb
-----END PGP SIGNATURE-----
Message #18 received at 629127-done@bugs.debian.org (full text, mbox, reply):
Package: icinga
Version 1.4.2-1
Thijs Kinkhorst schrieb am Friday, den 03. June 2011:
> Package: nagios3
> Severity: serious
> Tags: security
>
> Hi,
>
> Two XSS issues have been reported for Nagios and Icinga:
>
> CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
> CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
>
> Can you please see to it that these are fixed in unstable and testing, and
> determine whether an update for (old)stable is also necessary? Please
> mention the CVE id's in any changelog entry.
They have been closed in 1.4.2. As it seems I forgot to close the bug in the
changelog. In stable this will be fixed in the next revision.
Alex
Reply sent
to Alexander Wirt <formorer@formorer.de>
:
You have taken responsibility.
(Fri, 26 Aug 2011 05:45:10 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Bug acknowledged by developer.
(Fri, 26 Aug 2011 05:45:10 GMT) (full text, mbox, link).
Message #23 received at 629127-done@bugs.debian.org (full text, mbox, reply):
Package: icinga
Version: 1.4.2-1
Thijs Kinkhorst schrieb am Friday, den 03. June 2011:
Hi,
> Two XSS issues have been reported for Nagios and Icinga:
>
> CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
> CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
>
> Can you please see to it that these are fixed in unstable and testing, and
> determine whether an update for (old)stable is also necessary? Please
> mention the CVE id's in any changelog entry.
These have been fixed in 1.4.2, unfortunatly I forgot to add them in the
changelog entry. For stable I'll try to get them fixed in the next stable
update.
Thanks
Alex
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#629127
; Package nagios3
.
(Fri, 25 Nov 2011 23:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Martijn van Brummelen" <martijn@brumit.nl>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Fri, 25 Nov 2011 23:03:03 GMT) (full text, mbox, link).
Message #28 received at 629127@bugs.debian.org (full text, mbox, reply):
Xss is found in version 3.2.3
lenny(oldstable) has version 3.0.6-4~lenny2
lenny-backports has version 3.2.1-2~bpo50+1/3.2.0-5~bpo50+1
squeeze has version 3.2.1-2
all older non vulnerable versions.
Regards,
Martijn van Brummelen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#629127
; Package nagios3
.
(Thu, 22 Dec 2011 09:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Thu, 22 Dec 2011 09:48:05 GMT) (full text, mbox, link).
Message #33 received at 629127@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.4) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request.
For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].
0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Marked as found in versions nagios3/3.2.3-1.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Mar 2012 21:27:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Apr 2012 07:34:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:42:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.