Re: Upcoming upload for nagios-3.0.5

[Luk Claes <luk@debian.org>]

Alexander Wirt wrote:
> Alexander Wirt schrieb am Friday, den 28. November 2008:
> 
> Hi, 
> 
>> unfortunatly Nagios has some security bug which can lead to remote command
>> execution under some very special circumstances. See [1] for more details. 
>> Upstream released 3.0.5 which addresses this issue and is fixes are very
>> intrusive and not easy to backport since they change many things in the cgi
>> (they introduce some kind of session handling) code. I tried to backport it
>> but failed after a few hours with a big, not working patch. So I decided to
>> try to get 3.0.5 into debian. The patch is pretty big, but nearly everything
>> are documentation, bug and security fixes (see the changelog entrys [2]). 
>>
>> I attached a patch from nagios-3.0.3-4 to nagios-3.0.5-1. If this is not
>> acceptable for the releaseteam somebody else with more knowledge in C should
>> provide a proper fix. To get the diff a little bit shorter I removed html/*
>> and the debian po files from the diff. 
> In the meanwhile 3.0.6 got released with even more security fixes for the
> cgi parts. I will provide a diff soon and ask for inclusion of 3.0.6 instead
> of 3.0.5.

Please upload.

cheers

Luk