It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters. For the oldstable distribution (etch), this problem has been fixed in version 2.6-2+etch3 of nagios2. For the stable distribution (lenny), this problem has been fixed in version 3.0.6-4~lenny2 of nagios3. For the testing distribution (squeeze), this problem has been fixed in version 3.0.6-5 of nagios3. For the unstable distribution (sid), this problem has been fixed in version 3.0.6-5 of nagios3. We recommend that you upgrade your nagios2/nagios3 packages.
It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters.
For the oldstable distribution (etch), this problem has been fixed in version 2.6-2+etch4 of nagios2.
For the stable distribution (lenny), this problem has been fixed in version 3.0.6-4~lenny2 of nagios3.
For the testing distribution (squeeze), this problem has been fixed in version 3.0.6-5 of nagios3.
For the unstable distribution (sid), this problem has been fixed in version 3.0.6-5 of nagios3.
We recommend that you upgrade your nagios2/nagios3 packages.
MD5 checksums of the listed files are available in the original advisory.