Re: Upcoming upload for nagios-3.0.5
Alexander Wirt schrieb am Friday, den 28. November 2008:
Hi,
> unfortunatly Nagios has some security bug which can lead to remote command
> execution under some very special circumstances. See [1] for more details.
> Upstream released 3.0.5 which addresses this issue and is fixes are very
> intrusive and not easy to backport since they change many things in the cgi
> (they introduce some kind of session handling) code. I tried to backport it
> but failed after a few hours with a big, not working patch. So I decided to
> try to get 3.0.5 into debian. The patch is pretty big, but nearly everything
> are documentation, bug and security fixes (see the changelog entrys [2]).
>
> I attached a patch from nagios-3.0.3-4 to nagios-3.0.5-1. If this is not
> acceptable for the releaseteam somebody else with more knowledge in C should
> provide a proper fix. To get the diff a little bit shorter I removed html/*
> and the debian po files from the diff.
In the meanwhile 3.0.6 got released with even more security fixes for the
cgi parts. I will provide a diff soon and ask for inclusion of 3.0.6 instead
of 3.0.5.
Thanks
Alex
Reply to: