Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

nagios4: CVE-2018-13441 CVE-2018-13457 CVE-2018-13458

Related Vulnerabilities: CVE-2018-13441   CVE-2018-13457   CVE-2018-13458   CVE-2018-18245  

Source

Debian Bug report logs - #917160
nagios4: CVE-2018-13441 CVE-2018-13457 CVE-2018-13458

version graph

Package: src:nagios4; Maintainer for src:nagios4 is Russell Stuart <russell-debian@stuart.id.au>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 23 Dec 2018 13:21:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in version nagios4/4.3.4-2

Fixed in version nagios4/4.3.4-3

Done: Russell Stuart <russell-debian@stuart.id.au>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Russell Stuart <russell-debian@stuart.id.au>:
Bug#917160; Package src:nagios4. (Sun, 23 Dec 2018 13:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Russell Stuart <russell-debian@stuart.id.au>. (Sun, 23 Dec 2018 13:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nagios4: CVE-2018-13441 CVE-2018-13457 CVE-2018-13458
Date: Sun, 23 Dec 2018 14:18:52 +0100
Source: nagios4
Version: 4.3.4-2
Severity: important
Tags: patch security upstream

Hi,

The following vulnerabilities were published for nagios4.

CVE-2018-13441[0]:
| qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL
| pointer dereference vulnerability, which allows attacker to cause a
| local denial-of-service condition by sending a crafted payload to the
| listening UNIX socket.

CVE-2018-13457[1]:
| qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer
| dereference vulnerability, which allows attackers to cause a local
| denial-of-service condition by sending a crafted payload to the
| listening UNIX socket.

CVE-2018-13458[2]:
| qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer
| dereference vulnerability, which allows attackers to cause a local
| denial-of-service condition by sending a crafted payload to the
| listening UNIX socket.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-13441
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13441
[1] https://security-tracker.debian.org/tracker/CVE-2018-13457
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13457
[2] https://security-tracker.debian.org/tracker/CVE-2018-13458
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13458
[3] https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76

Regards,
Salvatore

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Tue, 29 Jan 2019 22:27:09 GMT) (full text, mbox, link).

Reply sent to Russell Stuart <russell-debian@stuart.id.au>:
You have taken responsibility. (Tue, 12 Feb 2019 06:24:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 12 Feb 2019 06:24:09 GMT) (full text, mbox, link).

Message #12 received at 917160-close@bugs.debian.org (full text, mbox, reply):

From: Russell Stuart <russell-debian@stuart.id.au>
To: 917160-close@bugs.debian.org
Subject: Bug#917160: fixed in nagios4 4.3.4-3
Date: Tue, 12 Feb 2019 06:22:25 +0000
Source: nagios4
Source-Version: 4.3.4-3

We believe that the bug you reported is fixed in the latest version of
nagios4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 917160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russell Stuart <russell-debian@stuart.id.au> (supplier of updated nagios4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu,  7 Feb 2019 19:35:53 +1000
Source: nagios4
Binary: nagios4-common nagios4-cgi nagios4 nagios4-core nagios4-dbg
Architecture: source amd64 all
Version: 4.3.4-3
Distribution: unstable
Urgency: low
Maintainer: Russell Stuart <russell-debian@stuart.id.au>
Changed-By: Russell Stuart <russell-debian@stuart.id.au>
Description:
 nagios4    - host/service/network monitoring and management system
 nagios4-cgi - cgi files for nagios4
 nagios4-common - support files for nagios4
 nagios4-core - host/service/network monitoring and management system core files
 nagios4-dbg - debugging symbols and debug stuff for nagios4
Closes: 902138 902216 905523 917160
Changes:
 nagios4 (4.3.4-3) unstable; urgency=low
 .
   * Fix CVE-2018-18245 (closes: #902138)
   * Fix CVE-2018-13441, CVE-2018-13457, CVE-2018-13458 (closes: #917160)
   * Removed /etc/nagios4/htdigest.users purge (closes: #905523)
   * Fix unknown RPM_ARCH (closes: #902216)
Checksums-Sha1:
 cd0cc71ba6978c40c07e4416502f6904e7fc2373 2029 nagios4_4.3.4-3.dsc
 c1530e7ac49a8c39be7bfd5d23f7a8c7955ffdac 11086829 nagios4_4.3.4.orig.tar.gz
 3d507eda53043dcb6670478825bf1c20df155eaf 451304 nagios4_4.3.4-3.debian.tar.xz
 7fe08577c4f42a4b0f943d08b81105023838ed28 1272762 nagios4-cgi_4.3.4-3_amd64.deb
 f088216745e9a153fbc38820279633ca73e37e3e 65174 nagios4-common_4.3.4-3_all.deb
 2b1c22028f5a9bc9cc87667e2149e913f17f2399 246352 nagios4-core_4.3.4-3_amd64.deb
 d36414d94d3f43c812fc521c22a028e1daeb6e07 6422044 nagios4-dbg_4.3.4-3_amd64.deb
 7b3a9cd8d8ea6703dc732ee497e06fddce304619 8551 nagios4_4.3.4-3_amd64.buildinfo
 50df7fbd13579f674e36ff008f77eec9bf499127 12812 nagios4_4.3.4-3_amd64.deb
Checksums-Sha256:
 b120b36d36899febc1eea480bfcb682337223feeab1ebc9382ae2d6309b05531 2029 nagios4_4.3.4-3.dsc
 f2b54defb8ca648fa93fe1c81501cbd12c34d8eace96c6104678b27cd5dd203c 11086829 nagios4_4.3.4.orig.tar.gz
 b7df19a5fb44e4ce145d9a85f5883a8199b7f9f8b16d26ac7772a1e66a1fd838 451304 nagios4_4.3.4-3.debian.tar.xz
 dad08976dd579ee8f4c421bacfdd90192003e40c85e6b070129a266eeccd2064 1272762 nagios4-cgi_4.3.4-3_amd64.deb
 52e772f3fe757215c4556894d24f44ab8a22d39c00ceb031852938f403be7e86 65174 nagios4-common_4.3.4-3_all.deb
 c9e25aac9b4f904aad6a48486e7241aa1bc78e03ff39971e431203e88973b859 246352 nagios4-core_4.3.4-3_amd64.deb
 b3e3a2e0c58b3ec9df8c398a8b8bd649e2dd49edd9d4a429670948c214a55c93 6422044 nagios4-dbg_4.3.4-3_amd64.deb
 e1b26ce30a7716b29fb78527ffd1800072b1ffdc1e00c2ac5fd71924afec043b 8551 nagios4_4.3.4-3_amd64.buildinfo
 d4d863b536d4ca6ced08f38b81e0d0c862ef2eb2383df2efe459e17175133b09 12812 nagios4_4.3.4-3_amd64.deb
Files:
 0d13f7287e29e46670ba4ed880b93f8e 2029 net optional nagios4_4.3.4-3.dsc
 b965d41af790967e284c3f02f8a9948b 11086829 net optional nagios4_4.3.4.orig.tar.gz
 857c7b60a24e27c086242ee055c159e2 451304 net optional nagios4_4.3.4-3.debian.tar.xz
 2890d167b9ad5d71cb9273a97c2cc4eb 1272762 net optional nagios4-cgi_4.3.4-3_amd64.deb
 1e38002ac7c8d1406c4c16174fdefe9e 65174 net optional nagios4-common_4.3.4-3_all.deb
 d5079786c5eda6c67960cc5c571a9a7d 246352 net optional nagios4-core_4.3.4-3_amd64.deb
 f9c8d178d13b7753f23859067de0ddad 6422044 debug extra nagios4-dbg_4.3.4-3_amd64.deb
 8a2873b7689ac59aec433cb64dc91782 8551 net optional nagios4_4.3.4-3_amd64.buildinfo
 3394f3e7705ac045f9b87034bc8c1633 12812 net optional nagios4_4.3.4-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZqiOeH6lCkTWvjmorNSfiF5UUm4FAlxiYM0ACgkQrNSfiF5U
Um436g/6AtU0TJU0qXPOTck1Gvap9Sb10ECTQ3SNLUm4RBlaSete45vsuK8G5GA0
40OmY9vzL8dCprHlAR1Qan0B8U6qbL0ZgWTlmXFTyPZak9XctUz0BAS/nxWutPAj
XdF8xDENxU6rBmi2tLVXujJO8y/4Mu+3EmsIs1LYlqCDZ68UcECoxhzBZbl+pbSk
gttTcT30NOc4YiSO26fIUXpnUW+2NnW+8ogeGLqBKk+wN5nNwptr2QTjvRV1mC3X
3tHDrhRFyCNxJgClQP7ElKxVsG+2BVq6VYBGzQVA9DBxWGv0w4PRx45VejE0pOxR
zZlBkcjUMFPtODEdQEdIGZJ7Yj8rBSzqK8U2Xc8OHF4HYum1hfgqNHMdEXvReTIO
9Uf7Sjr5dk54oLRNZQmCl1evnGW96aa8So3t1cIFkOuy2q3iUP+ndnnJXAMmuDuE
iUw5dGA0Tu2Y9hn/gGdmrWTrbQliIR+ZN+fESPq4F1ta02BvfoLlITHQ2JH3X/Wy
mjIdAVBP3+LzWxFtWsvTIXJkUc46CNI99A16gztOfjlOauEG1A2ZDpCwXEDge9P7
AuWNgOUyZIndCMpjcquRhurH0HCdiNiQ2cEZTsKw0lSqnP/TNjmSdJGfwjMe8EPq
ffqSQj4EpyCzBfH8TN5cmUdDT6wBmUPx/0WIN6UTUNAqXplFmC0=
=1Jiw
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 23 Mar 2019 07:28:58 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:07:39 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started