nagios2: CVE-2007-5803 cross-site scripting vulnerabilities

Debian Bug report logs - #482445
nagios2: CVE-2007-5803 cross-site scripting vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: nagios2: CVE-2007-5803 cross-site scripting vulnerabilities

Date: Thu, 22 May 2008 22:05:27 +0200

[Message part 1 (text/plain, inline)]

Package: nagios2
Severity: important
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nagios2.


CVE-2007-5803[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in
| Nagios before 2.12 might allow remote attackers to inject arbitrary
| web script or HTML via unspecified vectors, a different issue than
| CVE-2007-5624 and CVE-2008-1360.

Patch: https://bugzilla.redhat.com/attachment.cgi?id=305354

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5803
    http://security-tracker.debian.net/tracker/CVE-2007-5803

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 482445@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Nico Golde <nion@debian.org>, 482445@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#482445: nagios2: CVE-2007-5803 cross-site scripting vulnerabilities

Date: Mon, 26 May 2008 18:14:20 +0200

[Message part 1 (text/plain, inline)]

On Thu, May 22, 2008 at 10:05:27PM +0200, Nico Golde wrote:
> Package: nagios2
> Severity: important
> Tags: security patch
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for nagios2.

Nagios2 is about to be removed from unstable and testing, so I do not
plan on providing a fix for testing and unstable.

The patch applies to Nagios 2.6 from stable with one failing hunk, and
the reject file can be manually applied. Do you plan/want to issue a
stable security release?

The attached dpatch applies fine to nagios2 in stable, and the package
builds. I have not done any functionality tests though.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

[30_urlencode_CVE-2007-5803_482445.dpatch (text/plain, attachment)]

Message #15 received at 482445-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 482445-close@bugs.debian.org

Subject: Bug#482445: fixed in nagios2 2.6-2+etch4

Date: Thu, 04 Feb 2010 19:55:51 +0000

Source: nagios2
Source-Version: 2.6-2+etch4

We believe that the bug you reported is fixed in the latest version of
nagios2, which is due to be installed in the Debian FTP archive:

nagios2-common_2.6-2+etch4_all.deb
  to main/n/nagios2/nagios2-common_2.6-2+etch4_all.deb
nagios2-dbg_2.6-2+etch4_i386.deb
  to main/n/nagios2/nagios2-dbg_2.6-2+etch4_i386.deb
nagios2-doc_2.6-2+etch4_all.deb
  to main/n/nagios2/nagios2-doc_2.6-2+etch4_all.deb
nagios2_2.6-2+etch4.diff.gz
  to main/n/nagios2/nagios2_2.6-2+etch4.diff.gz
nagios2_2.6-2+etch4.dsc
  to main/n/nagios2/nagios2_2.6-2+etch4.dsc
nagios2_2.6-2+etch4_i386.deb
  to main/n/nagios2/nagios2_2.6-2+etch4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 482445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated nagios2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 04 Sep 2009 19:40:00 +0200
Source: nagios2
Binary: nagios2-doc nagios2-common nagios2-dbg nagios2
Architecture: source i386 all
Version: 2.6-2+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 nagios2    - A host/service/network monitoring and management system
 nagios2-common - support files for nagios2
 nagios2-dbg - debugging symbols for nagios2
 nagios2-doc - documentation for nagios2
Closes: 448371 482445
Changes: 
 nagios2 (2.6-2+etch4) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed multiple cross-site scripting (XSS) vulnerabilities in CGIs programs
     (Closes: #448371, #482445)
     Fixed: CVE-2007-5624, CVE-2007-5803, CVE-2008-1360
Files: 
 a4bd33d2bd5c812b5c9899fc41651e37 948 net optional nagios2_2.6-2+etch4.dsc
 5aee898df4f6ea4a0fa4a1fb22390a0b 35589 net optional nagios2_2.6-2+etch4.diff.gz
 720d00ef27782b51c0b7e675c2f82309 1016950 net optional nagios2_2.6-2+etch4_i386.deb
 778bd65bfb6cfb1f3f0efcb872a32360 1587836 net extra nagios2-dbg_2.6-2+etch4_i386.deb
 f70cd9aa86a0eb1b64a914b40da984cd 59416 net optional nagios2-common_2.6-2+etch4_all.deb
 8b2d0a07cd650edc3e6d33f74b480cb2 1149816 doc optional nagios2-doc_2.6-2+etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkqm9UcACgkQ62zWxYk/rQcVVACeIPbELaA7Uly8w24uozPsjhe2
Br4An3fhHb4l+1QgB5t9Nxhjjuz0/N3B
=mnAI
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.