several XSS issues

Debian Bug report logs - #629127
several XSS issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: submit@bugs.debian.org

Subject: several XSS issues

Date: Fri, 3 Jun 2011 20:10:40 +0200

Package: nagios3
Severity: serious
Tags: security

Hi,

Two XSS issues have been reported for Nagios and Icinga:

CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
CVE-2011-1523: http://tracker.nagios.org/view.php?id=207

Can you please see to it that these are fixed in unstable and testing, and
determine whether an update for (old)stable is also necessary? Please
mention the CVE id's in any changelog entry.


Thanks,
Thijs

Message #12 received at 629127@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@formorer.de>

To: Thijs Kinkhorst <thijs@debian.org>, 629127@bugs.debian.org

Cc: submit@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#629127: several XSS issues

Date: Fri, 3 Jun 2011 22:50:47 +0200

Thijs Kinkhorst schrieb am Friday, den 03. June 2011:

> Package: nagios3
> Severity: serious
> Tags: security
> 
> Hi,
> 
> Two XSS issues have been reported for Nagios and Icinga:
> 
> CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
> CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
> 
> Can you please see to it that these are fixed in unstable and testing, and
> determine whether an update for (old)stable is also necessary? Please
> mention the CVE id's in any changelog entry.
Sure, will do tomorrow. 

Alex

Message #17 received at 629127-close@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: 629127-close@bugs.debian.org

Subject: Bug#629127: fixed in nagios3 3.2.3-3

Date: Sat, 04 Jun 2011 19:18:52 +0000

Source: nagios3
Source-Version: 3.2.3-3

We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive:

nagios3-cgi_3.2.3-3_amd64.deb
  to main/n/nagios3/nagios3-cgi_3.2.3-3_amd64.deb
nagios3-common_3.2.3-3_all.deb
  to main/n/nagios3/nagios3-common_3.2.3-3_all.deb
nagios3-core_3.2.3-3_amd64.deb
  to main/n/nagios3/nagios3-core_3.2.3-3_amd64.deb
nagios3-dbg_3.2.3-3_amd64.deb
  to main/n/nagios3/nagios3-dbg_3.2.3-3_amd64.deb
nagios3-doc_3.2.3-3_all.deb
  to main/n/nagios3/nagios3-doc_3.2.3-3_all.deb
nagios3_3.2.3-3.diff.gz
  to main/n/nagios3/nagios3_3.2.3-3.diff.gz
nagios3_3.2.3-3.dsc
  to main/n/nagios3/nagios3_3.2.3-3.dsc
nagios3_3.2.3-3_amd64.deb
  to main/n/nagios3/nagios3_3.2.3-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 629127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 04 Jun 2011 20:22:20 +0200
Source: nagios3
Binary: nagios3-common nagios3-cgi nagios3 nagios3-core nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.2.3-3
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description: 
 nagios3    - A host/service/network monitoring and management system
 nagios3-cgi - cgi files for nagios3
 nagios3-common - support files for nagios3
 nagios3-core - A host/service/network monitoring and management system core file
 nagios3-dbg - debugging symbols and debug stuff for nagios3
 nagios3-doc - documentation for nagios3
Closes: 629127
Changes: 
 nagios3 (3.2.3-3) unstable; urgency=high
 .
   * [9149473] Fix CVE-2011-2179: XSS via expand function in config.cgi (Closes: #629127).
   * [b5f30e1] Fix for CVE-2011-1523: XSS problem in statusmap.cgi (Closes: #629127)
Checksums-Sha1: 
 f262c08b7aa0790666d7572daac022f6b5ae68a4 1498 nagios3_3.2.3-3.dsc
 97155056932e5f342a58d2edb7755352626e705e 43401 nagios3_3.2.3-3.diff.gz
 c2b9304fd5cecd23f9344e48ebc05576ba794761 1569988 nagios3-cgi_3.2.3-3_amd64.deb
 0b5b7db147292c2b111bae669ed645492754c929 1432 nagios3_3.2.3-3_amd64.deb
 d63d07ef1dcc2e80e886b2a31727636c812f3785 279634 nagios3-core_3.2.3-3_amd64.deb
 bad600fe38efc7c91b56028927a826e6c4a20b42 3301310 nagios3-dbg_3.2.3-3_amd64.deb
 89ad509e3595c23684add5ff36478454a2be47a2 80072 nagios3-common_3.2.3-3_all.deb
 a696462d22c77f546c9d3d71caab11987ac76928 2002512 nagios3-doc_3.2.3-3_all.deb
Checksums-Sha256: 
 1ffeea67001aa31c524dc46a882a20887bd544d4515ddd669828e7eb016c92e9 1498 nagios3_3.2.3-3.dsc
 012cc359a7dc933b87dc0ad27953ca475808ee53aed60a081bb1bf8505acd420 43401 nagios3_3.2.3-3.diff.gz
 7f2e30c3ad30aa0e1af0c2fea93b34f40c3b7422494dbdb7bb22da1696239932 1569988 nagios3-cgi_3.2.3-3_amd64.deb
 0eb74173dbb1065617d63d7cb343e043bfa971731dfaa71b9068913edef128bf 1432 nagios3_3.2.3-3_amd64.deb
 e58fd54baed2f64af8e0475c6770c00a798db3de9fab811afefd9caab8471048 279634 nagios3-core_3.2.3-3_amd64.deb
 28a591c585aa4981ac7604c1dd13093ab977efdc18113efc5cd195be6adcf297 3301310 nagios3-dbg_3.2.3-3_amd64.deb
 2e7067f3385e4019601deeadc92914e510b5685b80b5cb9f63a51d9b7278afbb 80072 nagios3-common_3.2.3-3_all.deb
 9a1f3dd7fd61743c60a6c785d291410b895272be2893e91e4bc00fcb39dd865e 2002512 nagios3-doc_3.2.3-3_all.deb
Files: 
 268d9f9febf7f644cfcf45a8bc5dd371 1498 net optional nagios3_3.2.3-3.dsc
 f25e900c6a8a3dc949fd6dba3b677d67 43401 net optional nagios3_3.2.3-3.diff.gz
 b48b745791414e50af549a70d1eddb53 1569988 net optional nagios3-cgi_3.2.3-3_amd64.deb
 0d0e7fd269dbda68700ab0a079f342c3 1432 net optional nagios3_3.2.3-3_amd64.deb
 02504807af37cc02d4fae287b9e4950f 279634 net optional nagios3-core_3.2.3-3_amd64.deb
 957ce07165bc88441fac0f33267b3562 3301310 debug extra nagios3-dbg_3.2.3-3_amd64.deb
 1541920ea701d6d25ba372b75450415d 80072 net optional nagios3-common_3.2.3-3_all.deb
 d48834482909fb12257adf40c3212207 2002512 doc optional nagios3-doc_3.2.3-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3qgP8ACgkQ01u8mbx9AgrXsACgtQh5fV8qDWfHCmJR85taSyA9
ZbkAoMimPWPN93jOcd1W6hAlvezznJwl
=fcqb
-----END PGP SIGNATURE-----

Message #18 received at 629127-done@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@formorer.de>

To: Thijs Kinkhorst <thijs@debian.org>, 629127-done@bugs.debian.org

Subject: Re: Bug#629127: several XSS issues

Date: Thu, 25 Aug 2011 19:49:34 +0200

Package: icinga
Version 1.4.2-1

Thijs Kinkhorst schrieb am Friday, den 03. June 2011:

> Package: nagios3
> Severity: serious
> Tags: security
> 
> Hi,
> 
> Two XSS issues have been reported for Nagios and Icinga:
> 
> CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
> CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
> 
> Can you please see to it that these are fixed in unstable and testing, and
> determine whether an update for (old)stable is also necessary? Please
> mention the CVE id's in any changelog entry.
They have been closed in 1.4.2. As it seems I forgot to close the bug in the
changelog. In stable this will be fixed in the next revision.

Alex

Message #23 received at 629127-done@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@formorer.de>

To: 629127-done@bugs.debian.org

Subject: Re: Bug#629127: several XSS issues

Date: Fri, 26 Aug 2011 07:44:14 +0200

Package: icinga
Version: 1.4.2-1

Thijs Kinkhorst schrieb am Friday, den 03. June 2011:

Hi,

> Two XSS issues have been reported for Nagios and Icinga:
> 
> CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
> CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
> 
> Can you please see to it that these are fixed in unstable and testing, and
> determine whether an update for (old)stable is also necessary? Please
> mention the CVE id's in any changelog entry.
These have been fixed in 1.4.2, unfortunatly I forgot to add them in the
changelog entry. For stable I'll try to get them fixed in the next stable
update.

Thanks

Alex

Message #28 received at 629127@bugs.debian.org (full text, mbox, reply):

From: "Martijn van Brummelen" <martijn@brumit.nl>

To: 629127@bugs.debian.org

Subject: vulnerable lenny-backports/squeeze (stable)

Date: Fri, 25 Nov 2011 23:49:50 +0100

Xss is found in version 3.2.3
lenny(oldstable) has version 3.0.6-4~lenny2
lenny-backports has version 3.2.1-2~bpo50+1/3.2.0-5~bpo50+1
squeeze has version 3.2.1-2
all older non vulnerable versions.

Regards,
Martijn van Brummelen

Message #33 received at 629127@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 629127@bugs.debian.org

Subject: several XSS issues

Date: Thu, 22 Dec 2011 09:45:41 +0000 (GMT)

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.4) 	- use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.