Debian Bug report logs - #448371
CVE-2007-5624 XSS vulnerability

version graph

Package: nagios2; Maintainer for nagios2 is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 28 Oct 2007 15:12:01 UTC

Severity: important

Tags: patch, security

Fixed in versions nagios2/2.9-1.1, nagios2/2.10-1

Done: Marc Haber <mh+debian-packages@zugschlus.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#448371; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-5624 XSS vulnerability
Date: Sun, 28 Oct 2007 16:09:08 +0100
[Message part 1 (text/plain, inline)]
Package: nagios2
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nagios2.

CVE-2007-5624[0]:
| Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10
| allows remote attackers to inject arbitrary web script or HTML via
| unknown vectors to unspecified CGI scripts.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5624

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#448371; Package nagios2. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 448371@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: control@bugs.debian.org
Cc: 448371@bugs.debian.org
Subject: nmu patch
Date: Tue, 30 Oct 2007 02:56:55 +1100
[Message part 1 (text/plain, inline)]
tags 448371 patch
thanks

Hi

Attached you'll find the NMU proposal to fix the cross-site scripting.
Patch is taken from upstream cvs. Please feel free to check and tell me about 
possible concerns. Otherwise, I will probably going to look over it tomorrow 
again and maybe upload.

Cheers
Steffen
[nmu.patch (text/x-diff, attachment)]
[nmu.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Mon, 29 Oct 2007 15:51:03 GMT) Full text and rfc822 format available.

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 448371-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 448371-close@bugs.debian.org
Subject: Bug#448371: fixed in nagios2 2.9-1.1
Date: Tue, 30 Oct 2007 01:17:03 +0000
Source: nagios2
Source-Version: 2.9-1.1

We believe that the bug you reported is fixed in the latest version of
nagios2, which is due to be installed in the Debian FTP archive:

nagios2-common_2.9-1.1_all.deb
  to pool/main/n/nagios2/nagios2-common_2.9-1.1_all.deb
nagios2-dbg_2.9-1.1_i386.deb
  to pool/main/n/nagios2/nagios2-dbg_2.9-1.1_i386.deb
nagios2-doc_2.9-1.1_all.deb
  to pool/main/n/nagios2/nagios2-doc_2.9-1.1_all.deb
nagios2_2.9-1.1.diff.gz
  to pool/main/n/nagios2/nagios2_2.9-1.1.diff.gz
nagios2_2.9-1.1.dsc
  to pool/main/n/nagios2/nagios2_2.9-1.1.dsc
nagios2_2.9-1.1_i386.deb
  to pool/main/n/nagios2/nagios2_2.9-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448371@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated nagios2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 30 Oct 2007 00:56:46 +0000
Source: nagios2
Binary: nagios2-doc nagios2-common nagios2-dbg nagios2
Architecture: source i386 all
Version: 2.9-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 nagios2    - A host/service/network monitoring and management system
 nagios2-common - support files for nagios2
 nagios2-dbg - debugging symbols for nagios2
 nagios2-doc - documentation for nagios2
Closes: 448371
Changes: 
 nagios2 (2.9-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing-security team
   * Fix potential cross-site scripting in the CGIs (Closes: #448371)
     Fixes: CVE-2007-5624
Files: 
 2bdd8224715c662b495f33a2138c4404 931 net optional nagios2_2.9-1.1.dsc
 13ab767e3ee94da606dd78c9245d45bc 30350 net optional nagios2_2.9-1.1.diff.gz
 528e75c2ad074a9e8ee1395df9d28ce5 983144 net optional nagios2_2.9-1.1_i386.deb
 3dedf30c294fd5fe28ef85cabf07c7a8 1583434 net extra nagios2-dbg_2.9-1.1_i386.deb
 d5effa8ac8826fce7fd8e149e9fbe0e3 61252 net optional nagios2-common_2.9-1.1_all.deb
 a71d6e2cfae08c8f34a1f86354864bc4 1148886 doc optional nagios2-doc_2.9-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHJoW362zWxYk/rQcRAlvYAJ9Yl4tiGdR3hTtygRpjGSggGGsSBQCeOC7T
qIIdfcmCTHZAP5ST02LfQGI=
=f3sW
-----END PGP SIGNATURE-----





Tags added: pending Request was from Marc Haber <zugschlus@alioth.debian.org> to control@bugs.debian.org. (Wed, 31 Oct 2007 13:21:03 GMT) Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 448371-close@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 448371-close@bugs.debian.org
Subject: Bug#448371: fixed in nagios2 2.10-1
Date: Wed, 31 Oct 2007 22:02:08 +0000
Source: nagios2
Source-Version: 2.10-1

We believe that the bug you reported is fixed in the latest version of
nagios2, which is due to be installed in the Debian FTP archive:

nagios2-common_2.10-1_all.deb
  to pool/main/n/nagios2/nagios2-common_2.10-1_all.deb
nagios2-dbg_2.10-1_i386.deb
  to pool/main/n/nagios2/nagios2-dbg_2.10-1_i386.deb
nagios2-doc_2.10-1_all.deb
  to pool/main/n/nagios2/nagios2-doc_2.10-1_all.deb
nagios2_2.10-1.diff.gz
  to pool/main/n/nagios2/nagios2_2.10-1.diff.gz
nagios2_2.10-1.dsc
  to pool/main/n/nagios2/nagios2_2.10-1.dsc
nagios2_2.10-1_i386.deb
  to pool/main/n/nagios2/nagios2_2.10-1_i386.deb
nagios2_2.10.orig.tar.gz
  to pool/main/n/nagios2/nagios2_2.10.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448371@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packages@zugschlus.de> (supplier of updated nagios2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 31 Oct 2007 19:47:31 +0100
Source: nagios2
Binary: nagios2-doc nagios2-common nagios2-dbg nagios2
Architecture: source i386 all
Version: 2.10-1
Distribution: unstable
Urgency: low
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Marc Haber <mh+debian-packages@zugschlus.de>
Description: 
 nagios2    - A host/service/network monitoring and management system
 nagios2-common - support files for nagios2
 nagios2-dbg - debugging symbols for nagios2
 nagios2-doc - documentation for nagios2
Closes: 413127 413494 413519 420011 429820 430477 431953 436155 448371
Changes: 
 nagios2 (2.10-1) unstable; urgency=low
 .
   * NOT RELEASED YET
   * New upstream release
     * Fix XSS vulnerability (CVS-2007-5624). Closes: #448371
   * Adapt sample config patches
   * Fix permissions on /var/log/nagios2/archives.
     Thanks to Michael Feger. Closes: #429820
   * Fix typo in localhost_nagios2.cfg.
     Thanks to Justin Pryzby. Closes: #430477.
   * New Portuguese debconf translations from Rui Branco and the Traduz
     team. Closes: #436155.
   * Rearrange apache2.conf so that the Stylesheet alias path is
     actually used.
     Thanks to Joerg Dorchain. This may fix #420009
   * Relax dependency on web server to Recommends. Depend on
     apache2-utils since we need htpasswd.
     Thanks to Japp Eldering. Closes: #413519
   * Move stylesheets to /etc, create a symlink.
     Thanks to Joerg Dorchain and Steve Greenland. Closes: #420011
   * Fix suboptimal formatting of package descriptions.
     Thanks to Sam Morris. Closes: 413494
   * debian/control: re-order Source stanza according to dpkg 1.14.7,
     add Homepage field. We're going to leave in the Upstream URL in the
     package description for a while though.
   * Unmark package names for translation in debconf templates.
     Thanks to Kobayashi Noritada. Closes: #413127
 .
   [Jan Wagner]
   * fixed README.Debian about setting check_external_commands=1
     (closes: #431953).
Files: 
 a4179c5b935586a4cc51935a1cf3655c 963 net optional nagios2_2.10-1.dsc
 8c3a29e138f2ff8c8abbd3dd8a40c4b6 1740558 net optional nagios2_2.10.orig.tar.gz
 3cffe042dfe6a49966597035199852bf 29582 net optional nagios2_2.10-1.diff.gz
 be299a16c445cec9238bd96663912139 982600 net optional nagios2_2.10-1_i386.deb
 a81103cf996d2c604c57671c31c97b41 1583296 net extra nagios2-dbg_2.10-1_i386.deb
 2e5cbd15b77c3b620e1ae9be4b3e1b75 60406 net optional nagios2-common_2.10-1_all.deb
 8ce8b2803d8cc04d9b4d7d9952d3e83c 1133562 doc optional nagios2-doc_2.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHKPi/gZalRGu6PIQRAvm+AKCA686BNPRVPmsWPDf2Q136/2BAtgCeKx/A
MDc+5y7J6rsMM9K49D9DmKs=
=FQoA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Nov 2007 07:28:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:57:59 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.