Debian Bug report logs - #485439
nagios3: XSS vulnerabilities in CGI scripts (CVE-2007-5803)

version graph

Package: nagios3; Maintainer for nagios3 is Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>; Source for nagios3 is src:nagios3.

Reported by: Thierry Carrez <thierry.carrez@ubuntu.com>

Date: Mon, 9 Jun 2008 14:33:02 UTC

Severity: grave

Tags: security

Found in version nagios3/3.0.1-1

Fixed in version nagios3/3.0.2-1

Done: Alexander Wirt <formorer@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#485439; Package nagios3. Full text and rfc822 format available.

Acknowledgement sent to Thierry Carrez <thierry.carrez@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thierry Carrez <thierry.carrez@ubuntu.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nagios3: XSS vulnerabilities in CGI scripts (CVE-2007-5803)
Date: Mon, 09 Jun 2008 16:29:26 +0200
Package: nagios3
Version: 3.0.1-1
Severity: grave
Tags: security
Justification: user security hole

Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in
Nagios might allow remote attackers to inject arbitrary web script or
HTML via unspecified vectors.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5803

Nagios 3.0.2 was released to address this issue in the 3.x line.
http://www.nagios.org/development/history/nagios-3x.php

-- System Information:
Debian Release: lenny/sid
  APT prefers hardy-updates
  APT policy: (500, 'hardy-updates'), (500, 'hardy-security'), (500, 'hardy-proposed'), (500, 'hardy')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-18-generic (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Tags added: pending Request was from Jan Wagner <waja-guest@alioth.debian.org> to control@bugs.debian.org. (Mon, 09 Jun 2008 19:09:10 GMT) Full text and rfc822 format available.

Reply sent to Alexander Wirt <formorer@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thierry Carrez <thierry.carrez@ubuntu.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 485439-close@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: 485439-close@bugs.debian.org
Subject: Bug#485439: fixed in nagios3 3.0.2-1
Date: Wed, 11 Jun 2008 06:32:04 +0000
Source: nagios3
Source-Version: 3.0.2-1

We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive:

nagios3-common_3.0.2-1_all.deb
  to pool/main/n/nagios3/nagios3-common_3.0.2-1_all.deb
nagios3-dbg_3.0.2-1_amd64.deb
  to pool/main/n/nagios3/nagios3-dbg_3.0.2-1_amd64.deb
nagios3-doc_3.0.2-1_all.deb
  to pool/main/n/nagios3/nagios3-doc_3.0.2-1_all.deb
nagios3_3.0.2-1.diff.gz
  to pool/main/n/nagios3/nagios3_3.0.2-1.diff.gz
nagios3_3.0.2-1.dsc
  to pool/main/n/nagios3/nagios3_3.0.2-1.dsc
nagios3_3.0.2-1_amd64.deb
  to pool/main/n/nagios3/nagios3_3.0.2-1_amd64.deb
nagios3_3.0.2.orig.tar.gz
  to pool/main/n/nagios3/nagios3_3.0.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 485439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Jun 2008 21:26:00 +0200
Source: nagios3
Binary: nagios3-common nagios3 nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.0.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description: 
 nagios3    - A host/service/network monitoring and management system
 nagios3-common - support files for nagios3
 nagios3-dbg - debugging symbols for nagios3
 nagios3-doc - documentation for nagios3
Closes: 478412 478877 479061 479324 479329 479334 481334 482178 485439
Changes: 
 nagios3 (3.0.2-1) unstable; urgency=low
 .
   [ Alexander Wirt ]
   * Remove bashism from rules file (Closes: #479324, #478412)
   * Set p1.pl DEBUG_LOG_PATH to /var/log/nagios3/ (Closes: #478877)
   * Start nagios3 in nagios3.postinst (Closes: #481334)
   * Add a patch from Stephane Chazelas which fixes the incluѕion of spurious $
     signs into command output (Closes: #479061)
 .
   [ Jan Wagner ]
   * New upstream release (Closes: #485439)
     * Fix XSS vulnerability (CVE-2007-5803).
   * updated cfg-cgi.cfg.diff, cfg-commands.cfg.diff and cfg-nagios.cfg.diff
     for new upstream release and remove version from config files
     (Closes: #482178)
   * Updating standards version to 3.8.0, no changes needed
   * add myself fo Uploaders
   * add doc-base support (Closes: #479334)
   * replace dependency of mailx with bsd-mailx
   * added Vcs- fields into source header's field
   * take care if killproc isn't able to stop daemon via stop target of
     initscript, thanks Stephen Gran <sgran@debian.org> for providing this fix
     (Closes: #479329)
Checksums-Sha1: 
 66ab258218f77403b0c122fc0fd4fd0d0cd802d5 1533 nagios3_3.0.2-1.dsc
 2e324f5e867454baf6cca2e719037ae0da9c2715 2759331 nagios3_3.0.2.orig.tar.gz
 d00ebcea4f14c9bc2a0ec6279ab7ce4bd22145fe 31472 nagios3_3.0.2-1.diff.gz
 910995a32378374873ff16064955ddcd6150f2af 1528546 nagios3_3.0.2-1_amd64.deb
 35fe1e977acafbbb483cdd0f3ecbfc2b7273a86e 2512396 nagios3-dbg_3.0.2-1_amd64.deb
 20a903699f91c217dd3b98447fc3628be63f5cdf 74326 nagios3-common_3.0.2-1_all.deb
 b2213ca9d89d6ac8cd0e0fed73af42a2d46db3e7 2096948 nagios3-doc_3.0.2-1_all.deb
Checksums-Sha256: 
 c7f5a9fd3a5994b4549b458d7503b920c924909e915f46060839cb46f9446c7e 1533 nagios3_3.0.2-1.dsc
 2d7eae6e8ba20a40f1fc3f57a2dd40e2f2a56e4244db453665120d5979b7d98a 2759331 nagios3_3.0.2.orig.tar.gz
 b268f9cc98cd5b0a19c75c98f756497ded709cbfccd11216ca41547438bc58f4 31472 nagios3_3.0.2-1.diff.gz
 a644f958e2045419a0f3c6142c53e9bc84927228d35bd6b3dc2d9ce1d6f43989 1528546 nagios3_3.0.2-1_amd64.deb
 1fd38530b3d80aee83cf4aeab312118eea6f0ca4fff979c88430318011e248cf 2512396 nagios3-dbg_3.0.2-1_amd64.deb
 b096a974bbfcb78a6cbaabe53b4e63326d8fb84d585886b8b24e04ce98b6d66b 74326 nagios3-common_3.0.2-1_all.deb
 5a78d249593fa071101f42a0529aa272ada0f05f88cc9e58262f67b8eb157f1d 2096948 nagios3-doc_3.0.2-1_all.deb
Files: 
 f4464028c0dc1dacb243806cefc557b5 1533 net optional nagios3_3.0.2-1.dsc
 008d71aac08660bc007f7130ea82ab80 2759331 net optional nagios3_3.0.2.orig.tar.gz
 106bb466c2ddbc32d745fa86054f1dfd 31472 net optional nagios3_3.0.2-1.diff.gz
 8ee8b66d84b13ea89d2d2ec4f37ac16d 1528546 net optional nagios3_3.0.2-1_amd64.deb
 a38fc28a109bb1f5b2fed8a7bc89cffe 2512396 net extra nagios3-dbg_3.0.2-1_amd64.deb
 5b7c5ceed1a30ab893b3bfba3c03b199 74326 net optional nagios3-common_3.0.2-1_all.deb
 306aa8af8e9da2cdff02cb98d3e97fc5 2096948 doc optional nagios3-doc_3.0.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhPcFoACgkQ01u8mbx9AgrQqACguuSzhFRzc3/3IMygwuxJe62Z
720AoKc7RA8V7u+hF2bdxoKgTDIm3IYS
=mHoE
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 16 Jul 2008 07:29:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:28:05 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.