Debian Bug report logs -
#504894
CVE-2008-5028: Nagios "cmd.cgi" cross-site request forgery
Reported by: Raphael Geissert <atomo64@gmail.com>
Date: Fri, 7 Nov 2008 20:15:02 UTC
Severity: grave
Tags: confirmed, patch, security
Fixed in version nagios3/3.0.6-1
Done: Alexander Wirt <formorer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#504894; Package nagios3.
(Fri, 07 Nov 2008 20:15:04 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: nagios3
Severity: grave
Tags: security patch
Hi,
The following SA (Secunia Advisory) id was published for Nagios.
SA32610[1]:
> Andreas Ericsson has discovered a vulnerability in Nagios, which can be
> exploited by malicious people to conduct cross-site request forgery
> attacks.
>
> The application allows users to perform certain actions via HTTP requests
> to "cmd.cgi" without performing any validity checks to verify the request.
> This can be exploited to execute certain Nagios commands (e.g. to disable
> notifications) when a logged-in administrator visits a malicious web site.
>
> The vulnerability is confirmed in version 3.0.5. Other versions may also be
> affected.
A proposed patch is available at [2].
If you fix the vulnerability please also make sure to include the SA id (or
the CVE id when one is assigned) in the changelog entry.
[1]http://secunia.com/Advisories/32610/
[2]http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#504894; Package nagios3.
(Sat, 08 Nov 2008 08:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Sat, 08 Nov 2008 08:03:07 GMT) (full text, mbox, link).
Message #8 received at 504894@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Please also see this advisory[0] as an additional issue.
Description:
A vulnerability has been reported in Nagios, which can be exploited by
malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the request. This can be
exploited to perform unspecified actions e.g. when a logged-in user visits a
malicious web site.
The vulnerability is reported in versions prior to 3.0.5.
Cheers
Steffen
[0]: http://secunia.com/Advisories/32543/
[signature.asc (application/pgp-signature, inline)]
Tags added: confirmed
Request was from Alexander Wirt <formorer@debian.org>
to control@bugs.debian.org.
(Sat, 08 Nov 2008 19:12:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#504894; Package nagios3.
(Sat, 08 Nov 2008 22:36:20 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Sat, 08 Nov 2008 22:36:23 GMT) (full text, mbox, link).
Message #15 received at 504894@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Steffen Joeris schrieb am Samstag, den 08. November 2008:
> Hi
>
> Please also see this advisory[0] as an additional issue.
>
> Description:
> A vulnerability has been reported in Nagios, which can be exploited by
> malicious people to conduct cross-site request forgery attacks.
>
> The application allows users to perform certain actions via HTTP requests
> without performing any validity checks to verify the request. This can be
> exploited to perform unspecified actions e.g. when a logged-in user visits a
> malicious web site.
>
> The vulnerability is reported in versions prior to 3.0.5.
>
> Cheers
> Steffen
>
> [0]: http://secunia.com/Advisories/32543/
Just for the notes, I'm currently working on the issue.
Alex
--
Alexander Wirt, formorer@formorer.de
CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#504894; Package nagios3.
(Tue, 18 Nov 2008 13:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to daniel@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Tue, 18 Nov 2008 13:03:04 GMT) (full text, mbox, link).
Message #20 received at 504894@bugs.debian.org (full text, mbox, reply):
Hi,
what's the status?
Regards,
Daniel
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#504894; Package nagios3.
(Fri, 21 Nov 2008 01:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Raphael Geissert" <atomo64@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Fri, 21 Nov 2008 01:03:03 GMT) (full text, mbox, link).
Message #25 received at 504894@bugs.debian.org (full text, mbox, reply):
retitle 504894 CVE-2008-5028: Nagios "cmd.cgi" cross-site request forgery
thanks
2008/11/7 Raphael Geissert <atomo64@gmail.com>:
[...]
>
> A proposed patch is available at [2].
>
> If you fix the vulnerability please also make sure to include the SA id (or
> the CVE id when one is assigned) in the changelog entry.
This issue has been assigned the following id: CVE-2008-5028, please
use it instead of the Secunia Advisory when fixing/referring to this
bug.
Btw, what's the ETA?
>
> [1]http://secunia.com/Advisories/32610/
> [2]http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18
>
> Cheers,
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
Alfred Hitchcock - "Television has brought back murder into the home
- where it belongs."
Changed Bug title to `CVE-2008-5028: Nagios "cmd.cgi" cross-site request forgery' from `SA32610: Nagios "cmd.cgi" Cross-Site Request Forgery'.
Request was from "Raphael Geissert" <atomo64@gmail.com>
to control@bugs.debian.org.
(Fri, 21 Nov 2008 01:03:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#504894; Package nagios3.
(Fri, 21 Nov 2008 06:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>.
(Fri, 21 Nov 2008 06:06:03 GMT) (full text, mbox, link).
Message #32 received at 504894@bugs.debian.org (full text, mbox, reply):
Raphael Geissert schrieb am Thursday, den 20. November 2008:
> retitle 504894 CVE-2008-5028: Nagios "cmd.cgi" cross-site request forgery
> thanks
>
> 2008/11/7 Raphael Geissert <atomo64@gmail.com>:
> [...]
> >
> > A proposed patch is available at [2].
> >
> > If you fix the vulnerability please also make sure to include the SA id (or
> > the CVE id when one is assigned) in the changelog entry.
>
> This issue has been assigned the following id: CVE-2008-5028, please
> use it instead of the Secunia Advisory when fixing/referring to this
> bug.
>
> Btw, what's the ETA?
If I don't find any new bugs in my patch....: Today :).
Alex
Tags added: pending
Request was from Alexander Wirt <formorer@alioth.debian.org>
to control@bugs.debian.org.
(Fri, 28 Nov 2008 20:24:02 GMT) (full text, mbox, link).
Reply sent
to Alexander Wirt <formorer@debian.org>:
You have taken responsibility.
(Mon, 08 Dec 2008 03:21:04 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer.
(Mon, 08 Dec 2008 03:21:04 GMT) (full text, mbox, link).
Message #39 received at 504894-close@bugs.debian.org (full text, mbox, reply):
Source: nagios3
Source-Version: 3.0.6-1
We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive:
nagios3-common_3.0.6-1_all.deb
to pool/main/n/nagios3/nagios3-common_3.0.6-1_all.deb
nagios3-dbg_3.0.6-1_amd64.deb
to pool/main/n/nagios3/nagios3-dbg_3.0.6-1_amd64.deb
nagios3-doc_3.0.6-1_all.deb
to pool/main/n/nagios3/nagios3-doc_3.0.6-1_all.deb
nagios3_3.0.6-1.diff.gz
to pool/main/n/nagios3/nagios3_3.0.6-1.diff.gz
nagios3_3.0.6-1.dsc
to pool/main/n/nagios3/nagios3_3.0.6-1.dsc
nagios3_3.0.6-1_amd64.deb
to pool/main/n/nagios3/nagios3_3.0.6-1_amd64.deb
nagios3_3.0.6.orig.tar.gz
to pool/main/n/nagios3/nagios3_3.0.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 504894@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 08 Dec 2008 02:51:21 +0100
Source: nagios3
Binary: nagios3-common nagios3 nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.0.6-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description:
nagios3 - A host/service/network monitoring and management system
nagios3-common - support files for nagios3
nagios3-dbg - debugging symbols and debug stuff for nagios3
nagios3-doc - documentation for nagios3
Closes: 504894 505813 506851
Changes:
nagios3 (3.0.6-1) unstable; urgency=high
.
* New upstream version
- Even more fixes for CVE-2008-5028
* Urgency high for security fixes
* Add ${shlibs:Depends} (Fixes lintian error, as the epn debugger
should depend on libc)
* Add ${misc:Depends} to binaries (Fixes lintian warning)
.
nagios3 (3.0.5-1) unstable; urgency=low
.
[ Christian Perrier ]
* Fix pending l10n issues. Debconf translations:
- Italian. Closes: #505813
- Polish. Closes: #506851
.
[ Alexander Wirt ]
* New upstream version
- Adds security fix for cmd.cgi (Closes: #504894)
This security problem is referenced as CVE-2008-5028 and SA32610
Checksums-Sha1:
18343fd554c78bc585be812992e67e24336b1fd0 1533 nagios3_3.0.6-1.dsc
d6bd20cdc22d2b931f9ad7f9cb33ff71d2cb7d71 2735504 nagios3_3.0.6.orig.tar.gz
2ecf33611e067b819f5d30bcfaf7b42c934d9105 37133 nagios3_3.0.6-1.diff.gz
1ab06afa4f4e601f2c89c711ca840cd7e2d32e3d 1532000 nagios3_3.0.6-1_amd64.deb
404c2055d55aaa4cb8ff71b2932df2a0889ed081 2537396 nagios3-dbg_3.0.6-1_amd64.deb
e02176c1a216822be043cb3fb5ff678c22b22c6f 76622 nagios3-common_3.0.6-1_all.deb
83f525a49448d3727ccfb55c0697fb6b9343e693 2070072 nagios3-doc_3.0.6-1_all.deb
Checksums-Sha256:
18a2773acac70a9f0c2bcd042fa87c435a5f2ed8a4f6f703d3930f220e68d5fe 1533 nagios3_3.0.6-1.dsc
bedeb2c1ffbf7525ec19ac84a66bad60a19d2b0544cbf050a53bfc363c09bb22 2735504 nagios3_3.0.6.orig.tar.gz
bf54282871fb5d90bad7ea0cae80d6978f42399dbd258db809a8918a0ec31374 37133 nagios3_3.0.6-1.diff.gz
a736a8329bd53ecf6fdea5187f7d909ab20fc9c2b898e006da3aef5d96d204dd 1532000 nagios3_3.0.6-1_amd64.deb
5c214d347de97c07c899a112f1aaeaa4505e8cbbf10682446f9e8849b2ba9379 2537396 nagios3-dbg_3.0.6-1_amd64.deb
4c20e5b240077b1e99b070b433a5142d87c0d7fb9140ae2e6d5a194590068baf 76622 nagios3-common_3.0.6-1_all.deb
8a6403aa2dea2c3bd6e42819830d8b7fd55e8fc6dc432fd9a17ee9aa57c46ecd 2070072 nagios3-doc_3.0.6-1_all.deb
Files:
e221e3af03cbc51cdb0b33a94f1181cc 1533 net optional nagios3_3.0.6-1.dsc
900e3f4164f4b2a18485420eeaefe812 2735504 net optional nagios3_3.0.6.orig.tar.gz
45444fd46ad9a074959413849a69d215 37133 net optional nagios3_3.0.6-1.diff.gz
175db6bf262ae58bc6722324d4d4f883 1532000 net optional nagios3_3.0.6-1_amd64.deb
7c28d8d006547d675f9dc6f7ff1e551b 2537396 net extra nagios3-dbg_3.0.6-1_amd64.deb
ebcfbf4cb70bd78c5ba027eb2ed41687 76622 net optional nagios3-common_3.0.6-1_all.deb
bc9aa5f79f32a8257a34bda1da93e99c 2070072 doc optional nagios3-doc_3.0.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkk8i0cACgkQ01u8mbx9AgpNVwCdElwpscjkvXBVcWIfdqw0FdsO
OQEAoJWQK7lRiM1H4yntriXLdf9jwcom
=uOVV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 08 Jan 2009 07:29:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:19:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon