Debian Bug report logs - #366683
CVE-2006-2162: Buffer overflow in nagios

version graph

Package: nagios2; Maintainer for nagios2 is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Wed, 10 May 2006 11:33:20 UTC

Severity: important

Tags: security

Found in version nagios2/2.2-1

Fixed in version nagios2/2.3-1

Done: sean finney <seanius@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2006-2162: Buffer overflow in nagios
Date: Wed, 10 May 2006 13:23:59 +0200 (CEST)
Package: nagios2
Severity: grave
Justification: user security hole
Tags: security

CVE-2006-2162:
Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before
2.3 allows remote attackers to execute arbitrary code via a negative
content length (Content-Length) HTTP header.

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 366683@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: nagios-devel <nagios-devel@lists.sourceforge.net>
Cc: nagios@nagios.org, 366683@bugs.debian.org
Subject: [sf@sfritsch.de: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios]
Date: Wed, 10 May 2006 11:28:11 -0400
[Message part 1 (text/plain, inline)]
hi ethan,

any care to comment on this?  i'm really swamped right now and just
spent all of last weekend fixing 4 CVE's for mysql, so i would really
appreciate it if you (or someone else on the list) could forward
my the relevant patch from the 1.x branch if/when it exists so we
can prepare an update for the debian sarge and woody packages.

	sean

----- Forwarded message from Stefan Fritsch <sf@sfritsch.de> -----

Date: Wed, 10 May 2006 13:23:59 +0200 (CEST)
From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in
	nagios

Package: nagios2
Severity: grave
Justification: user security hole
Tags: security

CVE-2006-2162:
Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before
2.3 allows remote attackers to execute arbitrary code via a negative
content length (Content-Length) HTTP header.

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162



_______________________________________________
Pkg-nagios-devel mailing list
Pkg-nagios-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-nagios-devel


----- End forwarded message -----

-- 
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 2.2-1. Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 366683@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: team@security.debian.org, pkg-nagios-devel@lists.alioth.debian.org
Cc: 366682@bugs.debian.org, 366683@bugs.debian.org, 366682-submitter@bugs.debian.org
Subject: CVE-2006-2162: Buffer overflow in nagios
Date: Thu, 11 May 2006 04:35:26 -0400
[Message part 1 (text/plain, inline)]
hey security team and nagios team,

as reported to us in the bts, the debian nagios packages are vulnerable
to arbitrary code execution via not properly checking the Content-Length
header from client requests.

here are the affected versions afaict:

stable:	

nagios-mysql 2:1.3-cvs.20050402-2.sarge.1
nagios-text 2:1.3-cvs.20050402-2.sarge.1
nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1

unstable:

nagios-mysql 2:1.3-cvs.20050402-13
nagios-text 2:1.3-cvs.20050402-13
nagios-pgsql 2:1.3-cvs.20050402-13
nagios2 2.2-1

in unstable both the 1.x and 2.x trees have had updates from upstream.
i've just finished putting the changes into svn, but i haven't prepared
an upload yet because i haven't been able to find/craft an exploit
just yet, and i'm in one of those "low on time" modes where it's
possible i may have messed something up.

so, i could use help with the following two things:

- crafting a simple "user-agent" that can illustrate the vulnerability
  by sending a negative or 0 value for content length to a nagios cgi
  (it doesn't have to actually inject any shell code or anything, just
  PoC would be fine by me).
- verifying that the latest branches in svn are fixed.

if anyone could assist me with either of these, it'd be much
appreciated. 


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 366683@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: team@security.debian.org, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org
Subject: Re: CVE-2006-2162: Buffer overflow in nagios
Date: Thu, 11 May 2006 17:46:16 +0200
[Message part 1 (text/plain, inline)]
sean finney wrote:
> hey security team and nagios team,
> 
> as reported to us in the bts, the debian nagios packages are vulnerable
> to arbitrary code execution via not properly checking the Content-Length
> header from client requests.
> 
> here are the affected versions afaict:
> 
> stable:	
> 
> nagios-mysql 2:1.3-cvs.20050402-2.sarge.1
> nagios-text 2:1.3-cvs.20050402-2.sarge.1
> nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1
> 
> unstable:
> 
> nagios-mysql 2:1.3-cvs.20050402-13
> nagios-text 2:1.3-cvs.20050402-13
> nagios-pgsql 2:1.3-cvs.20050402-13
> nagios2 2.2-1
> 
> in unstable both the 1.x and 2.x trees have had updates from upstream.
> i've just finished putting the changes into svn, but i haven't prepared
> an upload yet because i haven't been able to find/craft an exploit
> just yet, and i'm in one of those "low on time" modes where it's
> possible i may have messed something up.
> 
> so, i could use help with the following two things:
> 
> - crafting a simple "user-agent" that can illustrate the vulnerability
>   by sending a negative or 0 value for content length to a nagios cgi
>   (it doesn't have to actually inject any shell code or anything, just
>   PoC would be fine by me).

Why user-agent?  "All" you need to do is add some variables, so that
the Content-Length is either exactly INT_MAX or even larger, both
cause an integer overrun, which cause a negative malloc() which cause
a situation in which the attacker may control some memory they shouldn't.

I'm attaching a patch that ought to fix the problem.

Please note that upstream doesn't check for content length == INT_MAX
but blindly adds 1.

Regards,

	Joey

-- 
Still can't talk about what I can't talk about.  Sorry.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.
[patch.CVE-2006-2162.nagios (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 366683@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: team@security.debian.org, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org
Subject: Re: CVE-2006-2162: Buffer overflow in nagios
Date: Thu, 11 May 2006 13:46:27 -0400
[Message part 1 (text/plain, inline)]
hey joey,

On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> > - crafting a simple "user-agent" that can illustrate the vulnerability
> >   by sending a negative or 0 value for content length to a nagios cgi
> >   (it doesn't have to actually inject any shell code or anything, just
> >   PoC would be fine by me).
> 
> Why user-agent?  "All" you need to do is add some variables, so that

as a general rule i feel much more comfortable having some kind of PoC
code available that will tell me that my patch works.  granted, in this
case it's a rather straightforward patch, but still...

> the Content-Length is either exactly INT_MAX or even larger, both
> cause an integer overrun, which cause a negative malloc() which cause
> a situation in which the attacker may control some memory they shouldn't.

ah yes.. good point about INT_MAX.  i'll forward this upstream as well,
since i don't think ethan considered this.


	sean

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #32 received at 366683@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: sean finney <seanius@debian.org>
Cc: team@security.debian.org, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#366682: CVE-2006-2162: Buffer overflow in nagios
Date: Thu, 11 May 2006 23:46:21 +0200
severity 366682 important
severity 366683 important
thanks

Hi,

the Ubuntu guys already found out that Apache 2 doesn't accept 
requests with negative content length and I just checked that Apache 
1.3 doesn't either. I guess this makes this a quite low impact 
vulnerability.

> as reported to us in the bts, the debian nagios packages are
> vulnerable to arbitrary code execution via not properly checking
> the Content-Length header from client requests.
> in unstable both the 1.x and 2.x trees have had updates from
> upstream. i've just finished putting the changes into svn, but i
> haven't prepared an upload yet because i haven't been able to
> find/craft an exploit just yet, and i'm in one of those "low on
> time" modes where it's possible i may have messed something up.
>
> so, i could use help with the following two things:

> - crafting a simple "user-agent" that can illustrate the
> vulnerability by sending a negative or 0 value for content length
> to a nagios cgi (it doesn't have to actually inject any shell code
> or anything, just PoC would be fine by me).

I think it works like this:

$ export REQUEST_METHOD=POST
$ export CONTENT_LENGTH=-2
$ /usr/lib/cgi-bin/nagios2/status.cgi
getcgivars(): Could not allocate memory for CGI input.

This is fixed by the following part of the 2.2 to 2.3 diff:

diff -burN nagios-2.2/cgi/getcgi.c nagios-2.3/cgi/getcgi.c
--- nagios-2.2/cgi/getcgi.c     2004-11-06 06:44:12.000000000 +0100
+++ nagios-2.3/cgi/getcgi.c     2006-04-12 21:17:23.000000000 +0200
@@ -169,6 +169,8 @@
                        printf("getcgivars(): No Content-Length was 
sent with the POST request.\n") ;
                        exit(1);
                        }
+               if(content_length<0)
+                       content_length=0;
                if(!(cgiinput=(char *)malloc(content_length+1))){
                        printf("getcgivars(): Could not allocate 
memory for CGI input.\n");
                        exit(1);


This prevents negative parameters to be passed to malloc. I don't know 
what malloc does with a negative size parameter. Maybe this can 
corrupt something?

Hope this helps.

Cheers,
Stefan




Severity set to `important'. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #39 received at 366683@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>, Stefan Fritsch <sf@sfritsch.de>
Cc: team@security.debian.org, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org, control@bugs.debian.org
Subject: Re: CVE-2006-2162: Buffer overflow in nagios
Date: Thu, 11 May 2006 19:17:23 -0400
[Message part 1 (text/plain, inline)]
On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote:
> severity 366682 important
> severity 366683 important
> thanks
> 
> Hi,
> 
> the Ubuntu guys already found out that Apache 2 doesn't accept 
> requests with negative content length and I just checked that Apache 
> 1.3 doesn't either. I guess this makes this a quite low impact 
> vulnerability.

what if:

On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> Please note that upstream doesn't check for content length == INT_MAX

i don't have a nagios install online right now (can tomorrow  morning)
so i can't run the PoC mentioned in the BTS (thanks stefan), i'd
be interested to see how it handles 2147483647 (or your arch's
equivalent of INT_MAX).  if the code actually increments the size
by one AFTER receiving the data...  then we should probably readjust
the severities.

and by the way, i'm a bit annoyed that ubuntu managed to send off a
USN on this 4 days ago, and not even bother to think "hey, maybe
we should mention this to the debian guys". 


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #44 received at 366683@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: Debian Security Team <team@security.debian.org>, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org
Subject: Re: CVE-2006-2162: Buffer overflow in nagios
Date: Fri, 12 May 2006 06:24:21 +0200
Hi Sean!

Sean Finney wrote:
> On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> > > - crafting a simple "user-agent" that can illustrate the vulnerability
> > >   by sending a negative or 0 value for content length to a nagios cgi
> > >   (it doesn't have to actually inject any shell code or anything, just
> > >   PoC would be fine by me).
> > 
> > Why user-agent?  "All" you need to do is add some variables, so that
> 
> as a general rule i feel much more comfortable having some kind of PoC
> code available that will tell me that my patch works.  granted, in this
> case it's a rather straightforward patch, but still...
> 
> > the Content-Length is either exactly INT_MAX or even larger, both
> > cause an integer overrun, which cause a negative malloc() which cause
> > a situation in which the attacker may control some memory they shouldn't.
> 
> ah yes.. good point about INT_MAX.  i'll forward this upstream as well,
> since i don't think ethan considered this.

Thanks.

Please let me know the version in sid that will have this problem
fixed once you know it.

Regards,

	Joey


-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #49 received at 366683@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: sean finney <seanius@debian.org>
Cc: Martin Schulze <joey@infodrom.org>, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org
Subject: Re: CVE-2006-2162: Buffer overflow in nagios
Date: Fri, 12 May 2006 10:43:25 +0200
Hi,

On Friday 12 May 2006 01:17, sean finney wrote:
> On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote:
> > the Ubuntu guys already found out that Apache 2 doesn't accept
> > requests with negative content length and I just checked that
> > Apache 1.3 doesn't either. I guess this makes this a quite low
> > impact vulnerability.
>
> what if:
>
> On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> > Please note that upstream doesn't check for content length ==
> > INT_MAX
>
> i don't have a nagios install online right now (can tomorrow 
> morning) so i can't run the PoC mentioned in the BTS (thanks
> stefan), i'd be interested to see how it handles 2147483647 (or
> your arch's equivalent of INT_MAX).  if the code actually
> increments the size by one AFTER receiving the data...  then we
> should probably readjust the severities.

Yes, you are right:
Apache doesn't allow Content-Length larger than INT_MAX, but INT_MAX
is already a problem:

$ telnet localhost 8081
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /cgi-bin/nagios2/status.cgi HTTP/1.0
Content-Length: 2147483647

Then top shows that there is a crashed status.cgi process:
 7698 www-data  15   0     0    0    0 Z  0.0  0.0   0:00.00 
status.cgi <defunct>

With Content-Length: 2147483648, Apache gives back "400 Bad Request" 
and doesn't call status.cgi.

I still don't know whether this is exploitable, but the patch 
suggested by Martin is obviously safer than the one implemented by 
upstream.

Cheers,
Stefan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #54 received at 366683@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Debian Security Team <team@security.debian.org>, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org
Subject: Re: CVE-2006-2162: Buffer overflow in nagios
Date: Fri, 12 May 2006 11:00:53 -0400
[Message part 1 (text/plain, inline)]
On Fri, May 12, 2006 at 06:24:21AM +0200, Martin Schulze wrote:
> Please let me know the version in sid that will have this problem
> fixed once you know it.

for nagios 1.x: 1.4-1 (or 2:1.4-1, since there's an epoch i guess)
for nagios 2.x: 2.3-1

both are recently uploaded.

i've made a diff.gz of the sarge version available at:

	http://people.debian.org/~seanius/nagios/nagios_1.3-cvs.20050402-2.sarge.2.diff.gz

though there's no difference wrt your patch other than cosmetics and
different dpatch names.  also, there is a

	http://people.debian.org/~seanius/nagios/CVE-2006-2162.sh

which is a quick PoC i threw together to test the cgi's from the
cmdline.


	sean
[signature.asc (application/pgp-signature, inline)]

Reply sent to sean finney <seanius@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #59 received at 366683-close@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 366683-close@bugs.debian.org
Subject: Bug#366683: fixed in nagios2 2.3-1
Date: Fri, 12 May 2006 08:02:10 -0700
Source: nagios2
Source-Version: 2.3-1

We believe that the bug you reported is fixed in the latest version of
nagios2, which is due to be installed in the Debian FTP archive:

nagios2-common_2.3-1_all.deb
  to pool/main/n/nagios2/nagios2-common_2.3-1_all.deb
nagios2-doc_2.3-1_all.deb
  to pool/main/n/nagios2/nagios2-doc_2.3-1_all.deb
nagios2_2.3-1.diff.gz
  to pool/main/n/nagios2/nagios2_2.3-1.diff.gz
nagios2_2.3-1.dsc
  to pool/main/n/nagios2/nagios2_2.3-1.dsc
nagios2_2.3-1_amd64.deb
  to pool/main/n/nagios2/nagios2_2.3-1_amd64.deb
nagios2_2.3.orig.tar.gz
  to pool/main/n/nagios2/nagios2_2.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 366683@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
sean finney <seanius@debian.org> (supplier of updated nagios2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 12 May 2006 15:32:01 +0200
Source: nagios2
Binary: nagios2-doc nagios2-common nagios2
Architecture: source all amd64
Version: 2.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: sean finney <seanius@debian.org>
Description: 
 nagios2    - A host/service/network monitoring and management system
 nagios2-common - support files for nagios2
 nagios2-doc - documentation for nagios2
Closes: 360778 360998 361239 361956 363152 366683
Changes: 
 nagios2 (2.3-1) unstable; urgency=high
 .
   * new upstream version
   * Fix nagios2 restart in init script.
     Thanks to Jim Jensen. (mh) Closes: #360778
   * Fix /usr/share/doc/nagios2/html symlink.
     Thanks to Matt Zagrabelny. (mh) Closes: #360998
   * Create pid file directory dynamically in init script.
     Thanks to Herbert Straub. (mh) Closes: #361239
   * Honor locally set file/dir permissions in postinst, fixing policy
     10.9.1 compliance. Thanks to Heiko Schlittermann. (mh) Closes: #361956
 .
   [sean finney]
   * This upstream version addresses a security issue raised in CVE-2006-2162,
     wrt malcious use of Content-Length headers on cgi scripts.  This debian
     release includes further refinement of this fix
     (10_CVE-2006-2162_content-length.dpatch)
     as we believe it's still theoretically possible to exploit the issue
     via integer overflow. Closes: #366683.
   * change eventhandlers dir to /usr/lib/nagios2/plugins/eventhandlers,
     and make sure they're included (closes: #363152).
   * security release, so urgency bumped.
Files: 
 5cc9b9cc79bdaa5a0240fb268beb8220 879 net optional nagios2_2.3-1.dsc
 6d0a01ed778f81cc49d402884d25a933 1734837 net optional nagios2_2.3.orig.tar.gz
 d183d1ba0e53c2c28640e4291a8faae7 21435 net optional nagios2_2.3-1.diff.gz
 eac14cdd16c79fec9daafaed9741fe34 1102722 net optional nagios2_2.3-1_amd64.deb
 3cd4fa6282e616cd7d902eb1e1d5ba7e 55988 net optional nagios2-common_2.3-1_all.deb
 a376b105dc826b254f9350aad9506003 1131480 doc optional nagios2-doc_2.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEZJzjynjLPm522B0RAunlAJ9fI3DF5xjdqUCr1+sdAXuDmY8PjwCdFeQs
Kh37QO/YSY35EJ9dBbVrqJI=
=wo2R
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#366683; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #64 received at 366683@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Sean Finney <seanius@debian.org>
Cc: Debian Security Team <team@security.debian.org>, pkg-nagios-devel@lists.alioth.debian.org, 366682@bugs.debian.org, 366683@bugs.debian.org
Subject: Re: CVE-2006-2162: Buffer overflow in nagios
Date: Sat, 13 May 2006 07:28:20 +0200
Sean Finney wrote:
> On Fri, May 12, 2006 at 06:24:21AM +0200, Martin Schulze wrote:
> > Please let me know the version in sid that will have this problem
> > fixed once you know it.
> 
> for nagios 1.x: 1.4-1 (or 2:1.4-1, since there's an epoch i guess)
> for nagios 2.x: 2.3-1

Noted.

> both are recently uploaded.
> 
> i've made a diff.gz of the sarge version available at:
> 
> 	http://people.debian.org/~seanius/nagios/nagios_1.3-cvs.20050402-2.sarge.2.diff.gz

The other version is already built, though.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 20:16:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:14:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.