Debian Bug report logs - #368193
nagios: CVE-2006-2489: remote DoS and possible code execution

Package: nagios; Maintainer for nagios is (unknown);

Reported by: Alec Berryman <alec@thened.net>

Date: Sat, 20 May 2006 12:33:31 UTC

Severity: grave

Tags: security

Done: Alec Berryman <alec@thened.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#368193; Package nagios. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nagios: CVE-2006-2489: remote DoS and possible code execution
Date: Sat, 20 May 2006 13:21:11 +0100
Package: nagios
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-2489: "Integer overflow in CGI scripts in Nagios 1.x before
1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a content length
(Content-Length) HTTP header. NOTE: this is a different vulnerability
than CVE-2006-2162."

I understand that Sean is credited with the discovery and fix; I'm
filing this bug to keep track of the issue.  I believe this affects the
Nagios package in sarge as well.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbwm3Aud/2YgchcQRAlgmAJsFxM1WkFJAlHKWdU63reEMXBWZGgCgtbzi
mEC2c5/5Mited6YpHaAx6SY=
=uXcN
-----END PGP SIGNATURE-----



Bug 368193 cloned as bug 368199. Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Alec Berryman <alec@thened.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 368193-done@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Stefan Fritsch <sf@sfritsch.de>
Cc: 368193-done@bugs.debian.org, 368199-done@bugs.debian.org
Subject: Re: nagios cve-2006-2489 / cve-2006-2162
Date: Sat, 20 May 2006 14:22:13 +0100
[Message part 1 (text/plain, inline)]
Stefan Fritsch on 2006-05-20 15:03:30 +0200:

> Hi Alec,
> 
> On Saturday 20 May 2006 14:08, Alec Berryman wrote:
> > * Critical Nagios remote vulnerability; Secunia says that Debian's
> > maintainer found it, but I'm going to file bugs to keep track of
> > things.
> 
> this is fixed in the same versions as CVE-2006-2162. The discussion is 
> in bugreports #366682 and #366683. I just commited to CVE/list.

Thanks for the catch - I missed that discussion - closing the new bugs.
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 23:36:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:56:29 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.