Debian Bug report logs - #697931
icinga: CVE-2012-6096

version graph

Package: icinga; Maintainer for icinga is Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>; Source for icinga is src:icinga.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 11 Jan 2013 13:57:08 UTC

Severity: grave

Tags: patch, security

Fixed in versions icinga/1.7.1-5, icinga/1.8.4-1

Done: Alexander Wirt <formorer@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697931; Package icinga. (Fri, 11 Jan 2013 13:57:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Fri, 11 Jan 2013 13:57:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: icinga: CVE-2012-6096
Date: Fri, 11 Jan 2013 14:51:21 +0100
Package: icinga
Severity: grave
Tags: security
Justification: user security hole

This was assigned CVE-2012-6096:
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html

Fix:
http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547

Cheers,
        Moritz



Added tag(s) patch. Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> to control@bugs.debian.org. (Fri, 11 Jan 2013 22:39:08 GMT) Full text and rfc822 format available.

Removed tag(s) patch. Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Sat, 12 Jan 2013 17:15:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697931; Package icinga. (Sat, 12 Jan 2013 17:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sat, 12 Jan 2013 17:18:03 GMT) Full text and rfc822 format available.

Message #14 received at 697931@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 697931@bugs.debian.org
Subject: Re: Bug#697931: icinga: CVE-2012-6096
Date: Sat, 12 Jan 2013 18:14:05 +0100
On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:

> Package: icinga
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> This was assigned CVE-2012-6096:
> http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> 
> Fix:
> http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
As it currently seems this fix is incomplete. The severity of the problem
isn't hat high, so I want to wait until the icinga team has an official
patch.

Alex



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697931; Package icinga. (Sat, 12 Jan 2013 18:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sat, 12 Jan 2013 18:42:03 GMT) Full text and rfc822 format available.

Message #19 received at 697931@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Alexander Wirt <formorer@debian.org>
Cc: 697931@bugs.debian.org
Subject: Re: Bug#697931: icinga: CVE-2012-6096
Date: Sat, 12 Jan 2013 19:36:55 +0100
On Sat, Jan 12, 2013 at 06:14:05PM +0100, Alexander Wirt wrote:
> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
> 
> > Package: icinga
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > This was assigned CVE-2012-6096:
> > http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > 
> > Fix:
> > http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> As it currently seems this fix is incomplete. The severity of the problem
> isn't hat high, so I want to wait until the icinga team has an official
> patch.

Sounds good.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697931; Package icinga. (Sun, 13 Jan 2013 23:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Friedrich <michael.friedrich@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Sun, 13 Jan 2013 23:09:03 GMT) Full text and rfc822 format available.

Message #24 received at 697931@bugs.debian.org (full text, mbox):

From: Michael Friedrich <michael.friedrich@gmail.com>
To: Alexander Wirt <formorer@debian.org>, 697931@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: [Pkg-nagios-devel] Bug#697931: icinga: CVE-2012-6096
Date: Mon, 14 Jan 2013 00:04:47 +0100
On 12.01.2013 18:14, Alexander Wirt wrote:
> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
>
>> Package: icinga
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> This was assigned CVE-2012-6096:
>> http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
>>
>> Fix:
>> http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> As it currently seems this fix is incomplete. The severity of the problem
> isn't hat high, so I want to wait until the icinga team has an official
> patch.

Thanks to Markus Frosch who did the initial review of the Nagios patch 
by Eric Stanley, I've now uploaded 1.6.2, 1.7.4 and 1.8.4 to 
sourceforge. In regard of the CVE, this is considered to be fixed by 
these releases.
For Icinga in currently frozen Wheezy you'll likely need this patch - 
i've tested it against 1.7.1 which is the source here.

commit fc05df71d707c2692d07d4324c9061aad8f68ecf
Author: Michael Friedrich <michael.friedrich@netways.de>
Date:   Sun Jan 13 22:10:10 2013 +0100

    possible fix for CVE-2012-6096 (nagios), added Icinga specific fixes

    refs #3532

    Conflicts:
        cgi/cgiutils.c
        cgi/status.c

https://git.icinga.org/?p=icinga-core.git;a=commit;h=46f55574afa934f9e0bce5e9aac7f45530ff0058

Just a final note on the duplicated cve bug for both nagios and icinga - 
it would be nice to have the cve reproduced for both in the first place, 
before remarking bugs on the icinga code which have not been verified 
completely, neither by the reporter nor by icinga dev team itsself. A 
bug report upstream would have been nice as well, this has been now done 
with https://dev.icinga.org/issues/3532

Kind regards,
Michael


-- 
DI (FH) Michael Friedrich

mail:     michael.friedrich@gmail.com
twitter:  https://twitter.com/dnsmichi
jabber:   dnsmichi@jabber.ccc.de
irc:      irc.freenode.net/icinga dnsmichi

icinga open source monitoring
position: lead core developer
url:      https://www.icinga.org




Reply sent to Alexander Wirt <formorer@debian.org>:
You have taken responsibility. (Mon, 14 Jan 2013 05:51:03 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 14 Jan 2013 05:51:03 GMT) Full text and rfc822 format available.

Message #29 received at 697931-close@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: 697931-close@bugs.debian.org
Subject: Bug#697931: fixed in icinga 1.7.1-5
Date: Mon, 14 Jan 2013 05:47:42 +0000
Source: icinga
Source-Version: 1.7.1-5

We believe that the bug you reported is fixed in the latest version of
icinga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated icinga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Jan 2013 06:14:38 +0100
Source: icinga
Binary: icinga-common icinga-cgi icinga-idoutils icinga icinga-core icinga-doc icinga-dbg
Architecture: source amd64 all
Version: 1.7.1-5
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description: 
 icinga     - host and network monitoring system - metapackage
 icinga-cgi - host and network monitoring system - CGI scripts
 icinga-common - host and network monitoring system - support files
 icinga-core - host and network monitoring system - core files
 icinga-dbg - host and network monitoring system - debug files
 icinga-doc - host and network monitoring system - documentation
 icinga-idoutils - host and network monitoring system - icinga-dataobjects support
Closes: 697931
Changes: 
 icinga (1.7.1-5) unstable; urgency=high
 .
   * Apply fix for CVE-2012-6096 - buffer overflows in cgis
     (Closes: #697931)
Checksums-Sha1: 
 b8e55059031172b5e02b450209d0ecdc2f765374 1674 icinga_1.7.1-5.dsc
 2c2a53241b38e69c999e530fd4d7137536b4357e 50608 icinga_1.7.1-5.diff.gz
 10a2ffe2811e9050a509e75e2ca3e297ded9b29e 2090582 icinga-cgi_1.7.1-5_amd64.deb
 b67c115008ad1eb3ec004929221775ccc1b6abc2 265202 icinga-idoutils_1.7.1-5_amd64.deb
 04c043b2842f7c621f17233a38a8951b58f8e20a 1306 icinga_1.7.1-5_amd64.deb
 64f0eb6a13a34c8910fa09b32bb4e57fcb2f2b18 293214 icinga-core_1.7.1-5_amd64.deb
 d495dd24c535c153692fe52fa441709090d9c585 5527976 icinga-dbg_1.7.1-5_amd64.deb
 ad771fda535b08c8edb10998c41068881d23b1e6 110578 icinga-common_1.7.1-5_all.deb
 434a448c0c67f3d7f5c50d2369f7143754c81c7d 5345552 icinga-doc_1.7.1-5_all.deb
Checksums-Sha256: 
 7bc5bbdffca5b437a99fab8edd55d7898c847f8d6e5bfe00511cd4ff309814e8 1674 icinga_1.7.1-5.dsc
 263203a49f08e5330b76ea5fda1232e0cb0c96dfa345d09c2bcc2719ab22f36f 50608 icinga_1.7.1-5.diff.gz
 d1d3d03722c2fdeaa7c0a278bd1c1b2719165c548efd492e66ad2045b458cece 2090582 icinga-cgi_1.7.1-5_amd64.deb
 dfdfd9d3306eba1958e216f8ceed525a3bf3489c0aff3459a5a30e75f52418e9 265202 icinga-idoutils_1.7.1-5_amd64.deb
 523e2cac1f2d0ca2c27076ddc0d59c3ab2185a461a3b75074914064048b338ba 1306 icinga_1.7.1-5_amd64.deb
 e3f7f8e8576f788230964e7ce53f04595ad873a5fe8925c7d68c66f461e56b74 293214 icinga-core_1.7.1-5_amd64.deb
 c5de51836d7dd465082a36542b7d1ded455354f6d42c6918379b2279ddca2a34 5527976 icinga-dbg_1.7.1-5_amd64.deb
 e839f8ad68ee0081dd6e8637a3393a80964a09bc848490c00d896dea59437e4a 110578 icinga-common_1.7.1-5_all.deb
 1e2578aeaa45847ace70a41e25f584dafa04ecaca74b7986d3b75316e9a5f1c3 5345552 icinga-doc_1.7.1-5_all.deb
Files: 
 cb7987e1f61374d145d9cb080e1e793e 1674 net optional icinga_1.7.1-5.dsc
 3b3b210abdca752bbdcb5db2f68e9236 50608 net optional icinga_1.7.1-5.diff.gz
 b645133e6cf3722fb67fc8f69f1165e2 2090582 net optional icinga-cgi_1.7.1-5_amd64.deb
 e4985f29a416ad7db0985d4dedf004d8 265202 net optional icinga-idoutils_1.7.1-5_amd64.deb
 c690c03fb0eb48c07f284bf99009f227 1306 net optional icinga_1.7.1-5_amd64.deb
 2d579413bcb7f1d0323ee28f2b8dfee8 293214 net optional icinga-core_1.7.1-5_amd64.deb
 c9238e7208c8069631621ac699b95be6 5527976 debug extra icinga-dbg_1.7.1-5_amd64.deb
 5d178bb1c6bb7c07e50bc47fcb17baba 110578 net optional icinga-common_1.7.1-5_all.deb
 8259880d4d4c260fccdb7736564222e9 5345552 doc optional icinga-doc_1.7.1-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDzl4EACgkQ01u8mbx9AgqqkACffhI9j7I+v6IOGI5ip15TOruk
Zk4An1sb3i+hH1GPZ+SBvHE1e0mNz6Xr
=epQW
-----END PGP SIGNATURE-----




Reply sent to Alexander Wirt <formorer@debian.org>:
You have taken responsibility. (Mon, 14 Jan 2013 06:03:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 14 Jan 2013 06:03:06 GMT) Full text and rfc822 format available.

Message #34 received at 697931-close@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: 697931-close@bugs.debian.org
Subject: Bug#697931: fixed in icinga 1.8.4-1
Date: Mon, 14 Jan 2013 06:02:38 +0000
Source: icinga
Source-Version: 1.8.4-1

We believe that the bug you reported is fixed in the latest version of
icinga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated icinga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Jan 2013 06:22:39 +0100
Source: icinga
Binary: icinga-common icinga-cgi icinga-idoutils icinga icinga-core icinga-doc icinga-dbg
Architecture: source amd64 all
Version: 1.8.4-1
Distribution: experimental
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description: 
 icinga     - host and network monitoring system - metapackage
 icinga-cgi - host and network monitoring system - CGI scripts
 icinga-common - host and network monitoring system - support files
 icinga-core - host and network monitoring system - core files
 icinga-dbg - host and network monitoring system - debug files
 icinga-doc - host and network monitoring system - documentation
 icinga-idoutils - host and network monitoring system - icinga-dataobjects support
Closes: 697931
Changes: 
 icinga (1.8.4-1) experimental; urgency=high
 .
   * [a466a1e] Replace /etc/init.d with service
   * [eb7a611] Imported Upstream version 1.8.4
     - This release fixes CVE-2012-6096 - buffer overflows
       in cgis. (Closes: #697931)
Checksums-Sha1: 
 cb4f6fb8a541d28b8f18999b447ec30d591e9c35 1671 icinga_1.8.4-1.dsc
 19ab6e28b99ce15cbb9e12085cbe6aa404bf1ef1 7459130 icinga_1.8.4.orig.tar.gz
 1d866ed48c986355f22060ad276c82fea0dadd5f 48600 icinga_1.8.4-1.diff.gz
 680f2c75ccfac1b77082fc1dbffb07a8f3453f9a 1882404 icinga-cgi_1.8.4-1_amd64.deb
 038cc5141e739f2c476adf1d5a0276f9891996e1 280218 icinga-idoutils_1.8.4-1_amd64.deb
 d95f18b84384cb4471e970cab6ef7dd24ed0caa4 1314 icinga_1.8.4-1_amd64.deb
 507430a2a97a913ba0d37cea05e9b07dcc1e777c 297528 icinga-core_1.8.4-1_amd64.deb
 5dbe73c496e019407a9c6918f2a2ae221d0a89db 5186868 icinga-dbg_1.8.4-1_amd64.deb
 5077e820143c4916d18a2f3a561e9ed84663c657 118328 icinga-common_1.8.4-1_all.deb
 0f06fd5e3391a8243000bc0aaf7831a4a4e02eea 6113156 icinga-doc_1.8.4-1_all.deb
Checksums-Sha256: 
 5c5af452bbe3929554c27bb2caba974e1453a937e3c25d8389fd968ab73450fd 1671 icinga_1.8.4-1.dsc
 e1ecbc6c83bb8b2d4d29934182b101f305c8d45873b0cefe452dd913ee5b6de1 7459130 icinga_1.8.4.orig.tar.gz
 7b36e400e7131f16e7d999d60865d2cda0f22ea6ba42a1a0762542088fec76c9 48600 icinga_1.8.4-1.diff.gz
 4d2541a3b88219ed81a4d0e23adcf975d7a050d0d3974119fe0cba59c58aab83 1882404 icinga-cgi_1.8.4-1_amd64.deb
 be1871ed9f433a06ecce7e9fc388ed26309f28c98c3ba93c670185b7a2231c89 280218 icinga-idoutils_1.8.4-1_amd64.deb
 dd7c9fdf764894c0abf6904a385714df792bfaf0b1bcb2ba529e0a2c19333373 1314 icinga_1.8.4-1_amd64.deb
 2daf8820eb5df27ed408d256d12d54a30a4efdf18cc44f78c84052434627f0f0 297528 icinga-core_1.8.4-1_amd64.deb
 fee3303ff6dfd754b96df4ffb5daa3f096202dc614b4366a32568269422e2020 5186868 icinga-dbg_1.8.4-1_amd64.deb
 90c9e3729d049ffe71a3fecb141008bc1fe12fa48bc8e8a2ca8f10cfba552001 118328 icinga-common_1.8.4-1_all.deb
 56a62edfe878246376f6c1320ad148b83585ccaadc0a895066e91d72b79bd9f2 6113156 icinga-doc_1.8.4-1_all.deb
Files: 
 2009ab2545eecfd98d6afa51dbecff6a 1671 net optional icinga_1.8.4-1.dsc
 197076dccbdb26d181dd992d471c0dcd 7459130 net optional icinga_1.8.4.orig.tar.gz
 f97e65809d1e8d3f21ec2b3828b05fd7 48600 net optional icinga_1.8.4-1.diff.gz
 089f065c25e85953822a01c34c93eb6b 1882404 net optional icinga-cgi_1.8.4-1_amd64.deb
 38b57b6485dbedb56f88fef574267152 280218 net optional icinga-idoutils_1.8.4-1_amd64.deb
 3a0e982e65e3b6a5bb3b81b477d73e1a 1314 net optional icinga_1.8.4-1_amd64.deb
 ed50595bba7d74f4e3cb9ee82aa83dcd 297528 net optional icinga-core_1.8.4-1_amd64.deb
 edc7b9faa3afc3af536564377e43c863 5186868 debug extra icinga-dbg_1.8.4-1_amd64.deb
 aca14c6e9d465a0513fd604712afb1a5 118328 net optional icinga-common_1.8.4-1_all.deb
 a428c43c5ee9fb6e1695493b786daede 6113156 doc optional icinga-doc_1.8.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDzmakACgkQ01u8mbx9AgpWEACgjPTq3xm9ERTnMAvi/AfGcCm6
MEEAn1Ob8U+5NRL6IK0nm+sMv0CUc+Bi
=kste
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697931; Package icinga. (Mon, 14 Jan 2013 12:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Mon, 14 Jan 2013 12:21:03 GMT) Full text and rfc822 format available.

Message #39 received at 697931@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 697931@bugs.debian.org
Cc: security@debian.org
Subject: Re: [Pkg-nagios-devel] Bug#697931: icinga: CVE-2012-6096
Date: Mon, 14 Jan 2013 13:17:52 +0100
[Message part 1 (text/plain, inline)]
tag 697931 patch
thanks

Alexander Wirt schrieb am Saturday, den 12. January 2013:

> On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
> 
> > Package: icinga
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > This was assigned CVE-2012-6096:
> > http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > 
> > Fix:
> > http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> As it currently seems this fix is incomplete. The severity of the problem
> isn't hat high, so I want to wait until the icinga team has an official
> patch.
Ok, I backported the official patch to stable and attached it. Should I
provide an updated package for security.d.o?

Alex
-- 
Alexander Wirt, formorer@formorer.de 
CC99 2DDD D39E 75B0 B0AA  B25C D35B BC99 BC7D 020A
[99_fix_CVE-2012-6096.dpatch (text/plain, attachment)]

Added tag(s) patch. Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Mon, 14 Jan 2013 12:21:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>:
Bug#697931; Package icinga. (Mon, 11 Feb 2013 22:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>. (Mon, 11 Feb 2013 22:27:04 GMT) Full text and rfc822 format available.

Message #46 received at 697931@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Alexander Wirt <formorer@debian.org>
Cc: 697931@bugs.debian.org, security@debian.org
Subject: Re: [Pkg-nagios-devel] Bug#697931: icinga: CVE-2012-6096
Date: Mon, 11 Feb 2013 23:25:47 +0100
On Mon, Jan 14, 2013 at 01:17:52PM +0100, Alexander Wirt wrote:
> tag 697931 patch
> thanks
> 
> Alexander Wirt schrieb am Saturday, den 12. January 2013:
> 
> > On Fri, 11 Jan 2013, Moritz Muehlenhoff wrote:
> > 
> > > Package: icinga
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > > 
> > > This was assigned CVE-2012-6096:
> > > http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
> > > 
> > > Fix:
> > > http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
> > As it currently seems this fix is incomplete. The severity of the problem
> > isn't hat high, so I want to wait until the icinga team has an official
> > patch.
> Ok, I backported the official patch to stable and attached it. Should I
> provide an updated package for security.d.o?

Sorry for the late followup, I thought Jonathan would take care of icinga
as well and overlooked his reply.

Please build with -sa and upload to security-master.

Cheers,
        Moritz



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 12 Mar 2013 07:27:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:39:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.