Debian Bug report logs - #697930
nagios3: CVE-2012-6096

version graph

Package: nagios3; Maintainer for nagios3 is Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>; Source for nagios3 is src:nagios3.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 11 Jan 2013 13:57:04 UTC

Severity: grave

Tags: patch, security

Found in version nagios3/3.2.1-2

Fixed in versions nagios3/3.4.1-3, nagios3/3.2.1-2+squeeze1

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Fri, 11 Jan 2013 13:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Fri, 11 Jan 2013 13:57:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nagios3: CVE-2012-6096
Date: Fri, 11 Jan 2013 14:50:40 +0100
Package: nagios3
Severity: grave
Tags: security
Justification: user security hole

This was assigned CVE-2012-6096:
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html

Fix:
http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Fri, 11 Jan 2013 16:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Fri, 11 Jan 2013 16:00:03 GMT) Full text and rfc822 format available.

Message #10 received at 697930@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: <697930@bugs.debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#697930: nagios3: CVE-2012-6096
Date: Fri, 11 Jan 2013 15:56:25 +0000
Control: found -1 3.2.1-2

On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> Package: nagios3
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This was assigned CVE-2012-6096:
> 
> http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
>
> Fix:
> 
> http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547

I tested against squeeze and reproduced the problem. We use nagios at 
work so I'm happy to prepare DSA packages if required.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits



Marked as found in versions nagios3/3.2.1-2. Request was from Jonathan Wiltshire <jmw@debian.org> to 697930-submit@bugs.debian.org. (Fri, 11 Jan 2013 16:00:03 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> to control@bugs.debian.org. (Fri, 11 Jan 2013 22:39:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Sat, 12 Jan 2013 17:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sat, 12 Jan 2013 17:15:03 GMT) Full text and rfc822 format available.

Message #19 received at 697930@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Jonathan Wiltshire <jmw@debian.org>, 697930@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: [Pkg-nagios-devel] Bug#697930: nagios3: CVE-2012-6096
Date: Sat, 12 Jan 2013 18:12:03 +0100
On Fri, 11 Jan 2013, Jonathan Wiltshire wrote:

> Control: found -1 3.2.1-2
> 
> On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> >Package: nagios3
> >Severity: grave
> >Tags: security
> >Justification: user security hole
> >
> >This was assigned CVE-2012-6096:
> >
> >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> >
> >Fix:
> >
> >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> 
> I tested against squeeze and reproduced the problem. We use nagios
> at work so I'm happy to prepare DSA packages if required.
tests in the icinga team revealed the patch is probably incomplete. So please
don't upload with the patch currently provided unless our tests are finished.

Alex




Removed tag(s) patch. Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Sat, 12 Jan 2013 17:15:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Sun, 20 Jan 2013 19:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sun, 20 Jan 2013 19:51:07 GMT) Full text and rfc822 format available.

Message #26 received at 697930@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Jonathan Wiltshire <jmw@debian.org>
Cc: 697930@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#697930: nagios3: CVE-2012-6096
Date: Sun, 20 Jan 2013 20:49:26 +0100
On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote:
> Control: found -1 3.2.1-2
> 
> On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> >Package: nagios3
> >Severity: grave
> >Tags: security
> >Justification: user security hole
> >
> >This was assigned CVE-2012-6096:
> >
> >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> >
> >Fix:
> >
> >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> 
> I tested against squeeze and reproduced the problem. We use nagios
> at work so I'm happy to prepare DSA packages if required.

Jonathan, can you prepare packages for stable-security now that we have
a final patch?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Sun, 20 Jan 2013 19:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sun, 20 Jan 2013 19:57:03 GMT) Full text and rfc822 format available.

Message #31 received at 697930@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 697930@bugs.debian.org
Cc: Jonathan Wiltshire <jmw@debian.org>
Subject: Re: [Pkg-nagios-devel] Bug#697930: nagios3: CVE-2012-6096
Date: Sun, 20 Jan 2013 20:54:28 +0100
On Sun, 20 Jan 2013, Moritz Mühlenhoff wrote:

> On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote:
> > Control: found -1 3.2.1-2
> > 
> > On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> > >Package: nagios3
> > >Severity: grave
> > >Tags: security
> > >Justification: user security hole
> > >
> > >This was assigned CVE-2012-6096:
> > >
> > >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > >
> > >Fix:
> > >
> > >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> > 
> > I tested against squeeze and reproduced the problem. We use nagios
> > at work so I'm happy to prepare DSA packages if required.
> 
> Jonathan, can you prepare packages for stable-security now that we have
> a final patch?
We have? We have an icinga patch, its still on my list to check the nagios
patch if it fixes really all problems...

Alex




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Tue, 22 Jan 2013 15:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Tue, 22 Jan 2013 15:45:03 GMT) Full text and rfc822 format available.

Message #36 received at 697930@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Alexander Wirt <formorer@debian.org>, <697930@bugs.debian.org>, <team@security.debian.org>
Subject: Re: [Pkg-nagios-devel] Bug#697930: nagios3: CVE-2012-6096
Date: Tue, 22 Jan 2013 15:40:31 +0000
On 2013-01-20 19:54, Alexander Wirt wrote:
> On Sun, 20 Jan 2013, Moritz Mühlenhoff wrote:
>
>> On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote:
>> > Control: found -1 3.2.1-2
>> >
>> > On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
>> > >Package: nagios3
>> > >Severity: grave
>> > >Tags: security
>> > >Justification: user security hole
>> > >
>> > >This was assigned CVE-2012-6096:
>> > >
>> > 
>> >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
>> > >
>> > >Fix:
>> > >
>> > 
>> >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
>> >
>> > I tested against squeeze and reproduced the problem. We use nagios
>> > at work so I'm happy to prepare DSA packages if required.
>>
>> Jonathan, can you prepare packages for stable-security now that we 
>> have
>> a final patch?
> We have? We have an icinga patch, its still on my list to check the 
> nagios
> patch if it fixes really all problems...

I'm more than happy to test packages at work and write DSA text and so 
on but I don't have the knowledge of nagios to be able to do the patch 
preparation.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Tue, 22 Jan 2013 15:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Tue, 22 Jan 2013 15:51:03 GMT) Full text and rfc822 format available.

Message #41 received at 697930@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Jonathan Wiltshire <jmw@debian.org>, 697930@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org
Subject: Re: [Pkg-nagios-devel] Bug#697930: Bug#697930: nagios3: CVE-2012-6096
Date: Tue, 22 Jan 2013 16:49:25 +0100
On Tue, 22 Jan 2013, Jonathan Wiltshire wrote:

> On 2013-01-20 19:54, Alexander Wirt wrote:
> >On Sun, 20 Jan 2013, Moritz Mühlenhoff wrote:
> >
> >>On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote:
> >>> Control: found -1 3.2.1-2
> >>>
> >>> On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> >>> >Package: nagios3
> >>> >Severity: grave
> >>> >Tags: security
> >>> >Justification: user security hole
> >>> >
> >>> >This was assigned CVE-2012-6096:
> >>> >
> >>> >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> >>> >
> >>> >Fix:
> >>> >
> >>> >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> >>>
> >>> I tested against squeeze and reproduced the problem. We use nagios
> >>> at work so I'm happy to prepare DSA packages if required.
> >>
> >>Jonathan, can you prepare packages for stable-security now that
> >>we have
> >>a final patch?
> >We have? We have an icinga patch, its still on my list to check
> >the nagios
> >patch if it fixes really all problems...
> 
> I'm more than happy to test packages at work and write DSA text and
> so on but I don't have the knowledge of nagios to be able to do the
> patch preparation.
You can go ahead for icinga (I already attached the patch). I'll see about a
patch for nagios later in the evening.

Alex




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Sat, 26 Jan 2013 18:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sat, 26 Jan 2013 18:09:03 GMT) Full text and rfc822 format available.

Message #46 received at 697930@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Alexander Wirt <formorer@debian.org>, 697930@bugs.debian.org
Cc: Jonathan Wiltshire <jmw@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org
Subject: Re: Bug#697930: [Pkg-nagios-devel] Bug#697930: Bug#697930: nagios3: CVE-2012-6096
Date: Sat, 26 Jan 2013 18:08:00 +0000
[Message part 1 (text/plain, inline)]
On Tue, Jan 22, 2013 at 16:49:25 +0100, Alexander Wirt wrote:

> You can go ahead for icinga (I already attached the patch). I'll see about a
> patch for nagios later in the evening.
> 
Any luck with a nagios patch?

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Sun, 27 Jan 2013 09:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sun, 27 Jan 2013 09:12:03 GMT) Full text and rfc822 format available.

Message #51 received at 697930@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Julien Cristau <jcristau@debian.org>, 697930@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Jonathan Wiltshire <jmw@debian.org>, team@security.debian.org
Subject: Re: [Pkg-nagios-devel] Bug#697930: Bug#697930: Bug#697930: nagios3: CVE-2012-6096
Date: Sun, 27 Jan 2013 10:08:12 +0100
[Message part 1 (text/plain, inline)]
On Sat, 26 Jan 2013, Julien Cristau wrote:

> On Tue, Jan 22, 2013 at 16:49:25 +0100, Alexander Wirt wrote:
> 
> > You can go ahead for icinga (I already attached the patch). I'll see about a
> > patch for nagios later in the evening.
> > 
> Any luck with a nagios patch?
Yeah, I compared the icinga and the nagios version. The patch from nagios svn
does indeed fix the issue. I'll prepare an upload to unstable soon. The
patched I attached to #697931 does also apply to the stable nagios3 version.

Alex

[Message part 2 (application/pgp-signature, inline)]

Added tag(s) pending and patch. Request was from Ivo De Decker <ivo.dedecker@ugent.be> to control@bugs.debian.org. (Sun, 27 Jan 2013 15:21:10 GMT) Full text and rfc822 format available.

Reply sent to Alexander Wirt <formorer@debian.org>:
You have taken responsibility. (Sun, 27 Jan 2013 18:51:04 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sun, 27 Jan 2013 18:51:04 GMT) Full text and rfc822 format available.

Message #58 received at 697930-close@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: 697930-close@bugs.debian.org
Subject: Bug#697930: fixed in nagios3 3.4.1-3
Date: Sun, 27 Jan 2013 18:49:21 +0000
Source: nagios3
Source-Version: 3.4.1-3

We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697930@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated nagios3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 Jan 2013 19:24:49 +0100
Source: nagios3
Binary: nagios3-common nagios3-cgi nagios3 nagios3-core nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.4.1-3
Distribution: unstable
Urgency: low
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description: 
 nagios3    - A host/service/network monitoring and management system
 nagios3-cgi - cgi files for nagios3
 nagios3-common - support files for nagios3
 nagios3-core - A host/service/network monitoring and management system core file
 nagios3-dbg - debugging symbols and debug stuff for nagios3
 nagios3-doc - documentation for nagios3
Closes: 697930
Changes: 
 nagios3 (3.4.1-3) unstable; urgency=low
 .
   * Fix several overflows in getcgi.cgi and history.cgi
     This is fix for CVE 2012-6096 (Closes: #697930)
Checksums-Sha1: 
 8625c68cbebe5b5e21a126a487c4ed30b279a035 1700 nagios3_3.4.1-3.dsc
 5ab68a1b17a47d2baaaa25e54dcc37f855186df9 2607478 nagios3_3.4.1-3.diff.gz
 c9d659842fd9f6196f45284197a8d84b7eb417a7 1968196 nagios3-cgi_3.4.1-3_amd64.deb
 94579afbed50fc0d528017347c0984e284738913 1436 nagios3_3.4.1-3_amd64.deb
 40a337c7ef439a69a49ec3ae5fe771a611038d9d 286080 nagios3-core_3.4.1-3_amd64.deb
 b70d853893a32c8f8154711d8c5ee3707fe50341 4457978 nagios3-dbg_3.4.1-3_amd64.deb
 238c44fe4b8b6b741cfdeded1521cdfba29d9eae 80438 nagios3-common_3.4.1-3_all.deb
 ba8f735ba1e41e8d39f45b7e4dcb56f393c673d4 25402 nagios3-doc_3.4.1-3_all.deb
Checksums-Sha256: 
 3feb6b09adc3d84aa1bf1cce0214b610387beab89d0b24e7533cfd8256978b94 1700 nagios3_3.4.1-3.dsc
 81fcd330686e2121386a3f7fbc65a4288cbab4a688472bbc00e9179465ed6326 2607478 nagios3_3.4.1-3.diff.gz
 114ecaa0a175ca46927f63fcdc93e45cdd7332dafdf7dd7e803d67bbbb783735 1968196 nagios3-cgi_3.4.1-3_amd64.deb
 1438db7360673917307cae52601deb6eab67f6a938571a39de322090ae708b91 1436 nagios3_3.4.1-3_amd64.deb
 26ea0a20cb8cca60d7c6e712684dcb00977656ba94e44ede77ce4952aec7022f 286080 nagios3-core_3.4.1-3_amd64.deb
 d962f56f0344044c90cd27bce42c238e1fec33ff4a95b46a1dcf28ab77899c89 4457978 nagios3-dbg_3.4.1-3_amd64.deb
 56014c43a96556bfd974bf5f7aab99b6844e22e136ae562448b1b172eded7a65 80438 nagios3-common_3.4.1-3_all.deb
 ddc2e9dc5abfc284e909222c40bec671c5b298354c11bf8a31f33283d09a258e 25402 nagios3-doc_3.4.1-3_all.deb
Files: 
 3a3738c9a323f50b197280fc00f4d186 1700 net optional nagios3_3.4.1-3.dsc
 d8867bca834696352a5b97b9db9e134a 2607478 net optional nagios3_3.4.1-3.diff.gz
 e4d1c7ab72757b4bb6cdc87ddca36746 1968196 net optional nagios3-cgi_3.4.1-3_amd64.deb
 7e86504cabeaf86d358efd24c9719f33 1436 net optional nagios3_3.4.1-3_amd64.deb
 849ec74f7c81f99b6b2231bdbe49bfc9 286080 net optional nagios3-core_3.4.1-3_amd64.deb
 d44e6d6d6880cdcc49592513a1837cbd 4457978 debug extra nagios3-dbg_3.4.1-3_amd64.deb
 fc427cf29b6c765cd06b1f627f0f624d 80438 net optional nagios3-common_3.4.1-3_all.deb
 0a4e6e5f329e5417c1c27886e330fdea 25402 doc optional nagios3-doc_3.4.1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEUEARECAAYFAlEFc+YACgkQ01u8mbx9AgpgrACfTeIWcKIs/0Syvs9RnRrw54JJ
brIAmK833cvFVqpLAZYKrYlCHCHkiGA=
=0PYf
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Fri, 01 Feb 2013 22:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Fri, 01 Feb 2013 22:12:03 GMT) Full text and rfc822 format available.

Message #63 received at 697930@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: team@security.debian.org
Cc: 697930@bugs.debian.org
Subject: Re: Bug#697930: nagios3: CVE-2012-6096
Date: Fri, 1 Feb 2013 22:09:34 +0000
[Message part 1 (text/plain, inline)]
On Sun, Jan 20, 2013 at 08:49:26PM +0100, Moritz Mühlenhoff wrote:
> On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote:
> > Control: found -1 3.2.1-2
> > 
> > On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> > >Package: nagios3
> > >Severity: grave
> > >Tags: security
> > >Justification: user security hole
> > >
> > >This was assigned CVE-2012-6096:
> > >
> > >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > >
> > >Fix:
> > >
> > >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> > 
> > I tested against squeeze and reproduced the problem. We use nagios
> > at work so I'm happy to prepare DSA packages if required.
> 
> Jonathan, can you prepare packages for stable-security now that we have
> a final patch?

Ok, I now have tested packages for stable-security for nagios3, debdiff
and DSA text attached.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits
[nagios3_3.2.1-2+squeeze1.debdiff (text/plain, attachment)]
[DSA-2616-1 (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697930; Package nagios3. (Sat, 02 Feb 2013 15:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sat, 02 Feb 2013 15:45:06 GMT) Full text and rfc822 format available.

Message #68 received at 697930@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Jonathan Wiltshire <jmw@debian.org>
Cc: team@security.debian.org, 697930@bugs.debian.org
Subject: Re: Bug#697930: nagios3: CVE-2012-6096
Date: Sat, 2 Feb 2013 16:43:20 +0100
On Fri, Feb 01, 2013 at 10:09:34PM +0000, Jonathan Wiltshire wrote:
> On Sun, Jan 20, 2013 at 08:49:26PM +0100, Moritz Mühlenhoff wrote:
> > On Fri, Jan 11, 2013 at 03:56:25PM +0000, Jonathan Wiltshire wrote:
> > > Control: found -1 3.2.1-2
> > > 
> > > On 2013-01-11 13:50, Moritz Muehlenhoff wrote:
> > > >Package: nagios3
> > > >Severity: grave
> > > >Tags: security
> > > >Justification: user security hole
> > > >
> > > >This was assigned CVE-2012-6096:
> > > >
> > > >http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > > >
> > > >Fix:
> > > >
> > > >http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> > > 
> > > I tested against squeeze and reproduced the problem. We use nagios
> > > at work so I'm happy to prepare DSA packages if required.
> > 
> > Jonathan, can you prepare packages for stable-security now that we have
> > a final patch?
> 
> Ok, I now have tested packages for stable-security for nagios3, debdiff
> and DSA text attached.

Please upload to security-master.

cheers,
        Moritz



Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Fri, 08 Feb 2013 21:51:16 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 08 Feb 2013 21:51:16 GMT) Full text and rfc822 format available.

Message #73 received at 697930-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 697930-close@bugs.debian.org
Subject: Bug#697930: fixed in nagios3 3.2.1-2+squeeze1
Date: Fri, 08 Feb 2013 21:47:05 +0000
Source: nagios3
Source-Version: 3.2.1-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
nagios3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697930@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated nagios3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 01 Feb 2013 18:35:55 +0000
Source: nagios3
Binary: nagios3-common nagios3-cgi nagios3 nagios3-core nagios3-doc nagios3-dbg
Architecture: source amd64 all
Version: 3.2.1-2+squeeze1
Distribution: squeeze-security
Urgency: low
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 nagios3    - A host/service/network monitoring and management system
 nagios3-cgi - cgi files for nagios3
 nagios3-common - support files for nagios3
 nagios3-core - A host/service/network monitoring and management system core file
 nagios3-dbg - debugging symbols and debug stuff for nagios3
 nagios3-doc - documentation for nagios3
Closes: 697930
Changes: 
 nagios3 (3.2.1-2+squeeze1) squeeze-security; urgency=low
 .
   * Non-maintainer upload.
   * Backport 99_security_cve_2012_6096.dpatch for Squeeze, fixes
     a buffer overflow crasher (Closes: #697930) CVE-2012-6096
Checksums-Sha1: 
 bbecd857c174e0732938aab5ad9a4b2bd0cc216e 2167 nagios3_3.2.1-2+squeeze1.dsc
 1b04abcf9636be2588f9cc90c6b22d7d08e6a2e2 3215350 nagios3_3.2.1.orig.tar.gz
 909a3e530a4b9bb000a654bad71675d2de81878b 43353 nagios3_3.2.1-2+squeeze1.diff.gz
 fc2aae7e785ac4ea8da27ddd9054dc23c4c148c7 1494084 nagios3-cgi_3.2.1-2+squeeze1_amd64.deb
 6b70832d89db904e398933f757990d31443fa4c9 1448 nagios3_3.2.1-2+squeeze1_amd64.deb
 f23e9d67af0e6e18146fd597d1f5194370a601f2 270984 nagios3-core_3.2.1-2+squeeze1_amd64.deb
 957c0aa0f4ef8050fde994e554b25f9ec88d4b7b 2385188 nagios3-dbg_3.2.1-2+squeeze1_amd64.deb
 cf17a452d6895e3c969f7c36dd1fcb8d745443f0 77640 nagios3-common_3.2.1-2+squeeze1_all.deb
 45199a4079986132c61663c55825e106ce66b813 1995454 nagios3-doc_3.2.1-2+squeeze1_all.deb
Checksums-Sha256: 
 b87516c2929174e17adb57d667290beedab777408944327b908fddb4c3b06ff6 2167 nagios3_3.2.1-2+squeeze1.dsc
 8e9a0600dd574977b506613ef81537dccceb2d8f734db049b291e8e21859d9d1 3215350 nagios3_3.2.1.orig.tar.gz
 50e6133c04835435a721a63acd8e0998bb01ba685fd8b2bf3ec65a7adcfc655d 43353 nagios3_3.2.1-2+squeeze1.diff.gz
 0f3ea78390409ff21f8a392698fc917c956f8353ddc09f26de06a3db25c9ebf6 1494084 nagios3-cgi_3.2.1-2+squeeze1_amd64.deb
 fbe0bceeb9683b140d07b093b50037fb9de2d6012b8cc059817537d635201a4e 1448 nagios3_3.2.1-2+squeeze1_amd64.deb
 75c47108ec4d48b5ec50b66607e250f9bcb75187f8834a12aeb2f65deec8f8d9 270984 nagios3-core_3.2.1-2+squeeze1_amd64.deb
 1be61f3041d512b9f09a5d5716a0142d0f88619f53c42854b5de4a9f23fc5ad5 2385188 nagios3-dbg_3.2.1-2+squeeze1_amd64.deb
 c4392a2ff00124e875d84b1dcb6c2edab9391e0cd0255ac87d3b87684e95d620 77640 nagios3-common_3.2.1-2+squeeze1_all.deb
 7147ca8b01daee48cdc135b026e3d43c4c0c10dd46967842abcda7cf1f964f1b 1995454 nagios3-doc_3.2.1-2+squeeze1_all.deb
Files: 
 f88fb230c7ec1bcb7c3c27b7bfab52de 2167 net optional nagios3_3.2.1-2+squeeze1.dsc
 d4655ee8c95c9679fd4fd53dac34bbe3 3215350 net optional nagios3_3.2.1.orig.tar.gz
 cf31c577fcf697f83e0635df67d262b5 43353 net optional nagios3_3.2.1-2+squeeze1.diff.gz
 8bccd8f9d97bf4b99f20933e9d204c0f 1494084 net optional nagios3-cgi_3.2.1-2+squeeze1_amd64.deb
 3a46d4b7ed89706fe257fc26c070b279 1448 net optional nagios3_3.2.1-2+squeeze1_amd64.deb
 1bb3501fbeb291219c11770a0bd3031a 270984 net optional nagios3-core_3.2.1-2+squeeze1_amd64.deb
 9630c077e09d2a1189e5c24bd07c11b5 2385188 debug extra nagios3-dbg_3.2.1-2+squeeze1_amd64.deb
 877e79b9071d40e9c288f29feb2bfff9 77640 net optional nagios3-common_3.2.1-2+squeeze1_all.deb
 dcec7f58dd1c73fa84b2078e18b3014c 1995454 doc optional nagios3-doc_3.2.1-2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRDDBEAAoJEFC7AtTIpr9hCb4P/RJOYRiTpAt+tw4vZQ6WHoLu
V9AlgJplDi6HnbXwajyjYw1/I6j9HDsIP5DzdX4QUwF0sX/u19deacEtAM4/fyV4
JaoHQXbGQdYlpnstZzZoI32wyt0UJqH0N5B4zgcXCPQ8/XTX0edSryEy78azSoP1
QOSqsqTX6aIi/HBC3njwMLS2PdZ2AlGj6SpzjQT3bC+2od9PQwDdajwL9KaN0XjP
huTEAuv3O1elWm7PaHKoqeR1wBRlx1cdC+x62EHxynCBCFpC4MYEK2gSpbr7bCPh
UJ7ZljbAaPOZDG1URqm5FLQcrVM7mPj00KaOx2aN5G/yUM1aCPTar81jS2DmZC1B
CaP83FnyH8mZKXXG3TBnBcz/33f4QzzwWRnW8Wad/Rmy7fOUO2pVO+MQd8ofS8xf
44icLL7B3ruftVwIC99O82dukyFX2tJqbu7+koJ6I2MEaV3nV8OcvDagbFkyS4qx
pJ9ecsZqg95DuaCCl8ZbyB5V5Ig0U0GxgTPeCGyplB1D/Nmcr6GtTJEjCxMKFNaX
3ES/CzY4vTJkOIB3+6wxXU9Ab71oNU8Y7Y/yYbdrBqu3exmPjs6aClpj2wQ3X4X2
T9YyJGNKbXnPyt2uAXcsJPf6IZIo0h5VNyF0/AaATLhlWpRNPH0uluxVRf6ri6VM
NdKlGDBf1UmlgHrh9OqM
=u1hD
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 09 Mar 2013 07:27:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:34:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.