Debian Bug report logs -
#482445
nagios2: CVE-2007-5803 cross-site scripting vulnerabilities
Reported by: Nico Golde <nion@debian.org>
Date: Thu, 22 May 2008 20:09:01 UTC
Severity: important
Tags: patch, security
Fixed in version nagios2/2.6-2+etch4
Done: Giuseppe Iuculano <giuseppe@iuculano.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#482445
; Package nagios2
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: nagios2
Severity: important
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nagios2.
CVE-2007-5803[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in
| Nagios before 2.12 might allow remote attackers to inject arbitrary
| web script or HTML via unspecified vectors, a different issue than
| CVE-2007-5624 and CVE-2008-1360.
Patch: https://bugzilla.redhat.com/attachment.cgi?id=305354
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5803
http://security-tracker.debian.net/tracker/CVE-2007-5803
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#482445
; Package nagios2
.
(full text, mbox, link).
Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>
:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 482445@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, May 22, 2008 at 10:05:27PM +0200, Nico Golde wrote:
> Package: nagios2
> Severity: important
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for nagios2.
Nagios2 is about to be removed from unstable and testing, so I do not
plan on providing a fix for testing and unstable.
The patch applies to Nagios 2.6 from stable with one failing hunk, and
the reject file can be manually applied. Do you plan/want to issue a
stable security release?
The attached dpatch applies fine to nagios2 in stable, and the package
builds. I have not done any functionality tests though.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
[30_urlencode_CVE-2007-5803_482445.dpatch (text/plain, attachment)]
Reply sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
You have taken responsibility.
(Thu, 04 Feb 2010 20:03:11 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(Thu, 04 Feb 2010 20:03:12 GMT) (full text, mbox, link).
Message #15 received at 482445-close@bugs.debian.org (full text, mbox, reply):
Source: nagios2
Source-Version: 2.6-2+etch4
We believe that the bug you reported is fixed in the latest version of
nagios2, which is due to be installed in the Debian FTP archive:
nagios2-common_2.6-2+etch4_all.deb
to main/n/nagios2/nagios2-common_2.6-2+etch4_all.deb
nagios2-dbg_2.6-2+etch4_i386.deb
to main/n/nagios2/nagios2-dbg_2.6-2+etch4_i386.deb
nagios2-doc_2.6-2+etch4_all.deb
to main/n/nagios2/nagios2-doc_2.6-2+etch4_all.deb
nagios2_2.6-2+etch4.diff.gz
to main/n/nagios2/nagios2_2.6-2+etch4.diff.gz
nagios2_2.6-2+etch4.dsc
to main/n/nagios2/nagios2_2.6-2+etch4.dsc
nagios2_2.6-2+etch4_i386.deb
to main/n/nagios2/nagios2_2.6-2+etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 482445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated nagios2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 04 Sep 2009 19:40:00 +0200
Source: nagios2
Binary: nagios2-doc nagios2-common nagios2-dbg nagios2
Architecture: source i386 all
Version: 2.6-2+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description:
nagios2 - A host/service/network monitoring and management system
nagios2-common - support files for nagios2
nagios2-dbg - debugging symbols for nagios2
nagios2-doc - documentation for nagios2
Closes: 448371 482445
Changes:
nagios2 (2.6-2+etch4) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed multiple cross-site scripting (XSS) vulnerabilities in CGIs programs
(Closes: #448371, #482445)
Fixed: CVE-2007-5624, CVE-2007-5803, CVE-2008-1360
Files:
a4bd33d2bd5c812b5c9899fc41651e37 948 net optional nagios2_2.6-2+etch4.dsc
5aee898df4f6ea4a0fa4a1fb22390a0b 35589 net optional nagios2_2.6-2+etch4.diff.gz
720d00ef27782b51c0b7e675c2f82309 1016950 net optional nagios2_2.6-2+etch4_i386.deb
778bd65bfb6cfb1f3f0efcb872a32360 1587836 net extra nagios2-dbg_2.6-2+etch4_i386.deb
f70cd9aa86a0eb1b64a914b40da984cd 59416 net optional nagios2-common_2.6-2+etch4_all.deb
8b2d0a07cd650edc3e6d33f74b480cb2 1149816 doc optional nagios2-doc_2.6-2+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkqm9UcACgkQ62zWxYk/rQcVVACeIPbELaA7Uly8w24uozPsjhe2
Br4An3fhHb4l+1QgB5t9Nxhjjuz0/N3B
=mnAI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 05 Mar 2010 07:33:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:35:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.