Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu Hello, the nagios3 package in wheezy suffers from at least one minor security bug and a regression. I prepared nagios3/3.4.1+deb7u1 for wheezy proposed-updates in order to fix both of them. Additionally two non-intrusive fixes in the initscript are included: a typo and another regression. I consider the fixes for #680615 and #714171 as pretty important. Thus I suggest to push the pu to wheezy-updates. So do you agree to upload the prepared packages to pu? And furthermore, do you agree to push it to wheezy-updates as well? Below's the changelog, please find the full debdiff attached. nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low * Backport the following changes to wheezy: * [cd50049] Add missing check command in initscript (Closes: #680615) * [77c9d0e] Fix typo in initscript * [a2c78a1] Stop status.cgi from listing unauthorized hosts and services in servicegroup view (CVE-2013-2214) Thanks to Jonas Meurer for the report and the patch (Closes: #714171) * [51fb59b] Backport upstream r1953 to fix downtime retention across restarts. Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356) -- Jonas Meurer <mejo@debian.org> Fri, 01 Nov 2013 14:32:18 +0100 Kind regards, jonas
diff -u nagios3-3.4.1/debian/changelog nagios3-3.4.1/debian/changelog --- nagios3-3.4.1/debian/changelog +++ nagios3-3.4.1/debian/changelog @@ -1,3 +1,15 @@ +nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low + + * Backport the following changes to wheezy: + * [cd50049] Add missing check command in initscript (Closes: #680615) + * [77c9d0e] Fix typo in initscript + * [a2c78a1] Stop status.cgi from listing unauthorized hosts and services in servicegroup view (CVE-2013-2214) + Thanks to Jonas Meurer for the report and the patch (Closes: #714171) + * [51fb59b] Backport upstream r1953 to fix downtime retention across restarts. + Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356) + + -- Jonas Meurer <mejo@debian.org> Fri, 01 Nov 2013 14:32:18 +0100 + nagios3 (3.4.1-3) unstable; urgency=low * Fix several overflows in getcgi.cgi and history.cgi diff -u nagios3-3.4.1/debian/nagios3-common.nagios3.init nagios3-3.4.1/debian/nagios3-common.nagios3.init --- nagios3-3.4.1/debian/nagios3-common.nagios3.init +++ nagios3-3.4.1/debian/nagios3-common.nagios3.init @@ -126,7 +126,7 @@ start () { if [ "$ENABLED" = "no" ]; then - log_warning_msg "Not starting Nagios3 - set ENABLED to yes in /etc/defrault/nagios3" + log_warning_msg "Not starting Nagios3 - set ENABLED to yes in /etc/default/nagios3" exit 0 fi @@ -212,6 +212,10 @@ fi } +check() { + $DAEMON -v $NAGIOSCFG +} + case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" diff -u nagios3-3.4.1/debian/patches/00list nagios3-3.4.1/debian/patches/00list --- nagios3-3.4.1/debian/patches/00list +++ nagios3-3.4.1/debian/patches/00list @@ -11,0 +12,2 @@ +99_security_status_cgi_servicegroup.dpatch +999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch only in patch2: unchanged: --- nagios3-3.4.1.orig/debian/patches/99_security_status_cgi_servicegroup.dpatch +++ nagios3-3.4.1/debian/patches/99_security_status_cgi_servicegroup.dpatch @@ -0,0 +1,56 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer <jmeurer@inet.de> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Stop cgi-bin/status.c from listing unauthorized hosts and +## DP: services in servicegroup view +## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.4.1~/cgi/status.c nagios3-3.4.1/cgi/status.c +--- nagios3-3.4.1~/cgi/status.c 2012-02-13 21:40:42.000000000 +0100 ++++ nagios3-3.4.1/cgi/status.c 2013-06-26 16:52:37.668132234 +0200 +@@ -2534,6 +2534,10 @@ + if(temp_host == NULL) + continue; + ++ /* make sure user has rights to view this host */ ++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE) ++ continue; ++ + /* skip this if it isn't a new host... */ + if(temp_host == last_host) + continue; +@@ -2739,6 +2743,10 @@ + if(temp_host == NULL) + continue; + ++ /* make sure user has rights to view this host */ ++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE) ++ continue; ++ + /* skip this if it isn't a new host... */ + if(temp_host == last_host) + continue; +@@ -2918,6 +2926,10 @@ + if(temp_service == NULL) + continue; + ++ /* make sure user has rights to view this service */ ++ if(is_authorized_for_service(temp_service, ¤t_authdata) == FALSE) ++ continue; ++ + /* find the service status */ + temp_servicestatus = find_servicestatus(temp_service->host_name, temp_service->description); + if(temp_servicestatus == NULL) +@@ -3270,6 +3282,10 @@ + if(temp_host == NULL) + continue; + ++ /* make sure user has rights to view this host */ ++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE) ++ continue; ++ + /* get the status of the host */ + temp_hoststatus = find_hoststatus(temp_host->name); + if(temp_hoststatus == NULL) only in patch2: unchanged: --- nagios3-3.4.1.orig/debian/patches/999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch +++ nagios3-3.4.1/debian/patches/999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch @@ -0,0 +1,74 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## daemon downtime: Handle loading effective downtime from retention +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: From 9f18395268dda948265722984097735d48d72197 Mon Sep 17 00:00:00 2001 +## DP: From: Andreas Ericsson <ae@op5.se> +## DP: Date: Wed, 6 Jun 2012 09:38:06 +0000 +## DP: Subject: [PATCH] daemon downtime: Handle loading effective downtime from +## DP: retention +## DP: +## DP: Without this patch, Nagios would forget about downtime that starts +## DP: before the core is stopped and ends after the core is restarted. +## DP: +## DP: According to testers, the original problem with notifications being +## DP: re-sent does not crop up again when this patch is applied. +## DP: +## DP: Tested-by: Mark Elsen <mark.elsen@gmail.com> +## DP: Tested-by: Phil Randal <phil.randal@hoopleltd.co.uk> +## DP: Patched-by: Carlos Velasco <carlos.velasco@nimastelecom.com> +## DP: Signed-off-by: Andreas Ericsson <ae@op5.se> +## DP: +## DP: git-svn-id: https://nagios.svn.sourceforge.net/svnroot/nagios/nagioscore/trunk@1953 5f96b256-904b-4d8d-8c98-d829582c6739 +## DP: --- +## DP: THANKS | 1 + +## DP: common/downtime.c | 31 +++++++++++++++++++++++++++---- +## DP: 2 files changed, 28 insertions(+), 4 deletions(-) + +@DPATCH@ +diff --git a/common/downtime.c b/common/downtime.c +index 09a0333..0193c50 100644 +--- a/common/downtime.c ++++ b/common/downtime.c +@@ -401,11 +401,34 @@ int handle_scheduled_downtime(scheduled_downtime *temp_downtime) { + } + + /* if downtime handler gets triggerd in between then there seems to be a restart */ +- /* Don't do anything just return */ +- time( ¤t_time); +- if( temp_downtime->start_time < current_time && current_time < temp_downtime->end_time && temp_downtime->is_in_effect == TRUE) +- return OK; ++ time(¤t_time); ++ if(temp_downtime->start_time < current_time && current_time < temp_downtime->end_time && temp_downtime->is_in_effect == TRUE) { ++#ifdef USE_EVENT_BROKER ++ /* send data to event broker */ ++ broker_downtime_data(NEBTYPE_DOWNTIME_START, NEBFLAG_NONE, NEBATTR_NONE, temp_downtime->type, temp_downtime->host_name, temp_downtime->service_description, temp_downtime->entry_time, temp_downtime->author, temp_downtime->comment, temp_downtime->start_time, temp_downtime->end_time, temp_downtime->fixed, temp_downtime->triggered_by, temp_downtime->duration, temp_downtime->downtime_id, NULL); ++#endif ++ ++ /* increment the downtime depth variable */ ++ if(temp_downtime->type == HOST_DOWNTIME) { ++ hst->scheduled_downtime_depth++; ++ update_host_status(hst, FALSE); ++ } ++ else { ++ svc->scheduled_downtime_depth++; ++ update_service_status(svc, FALSE); ++ } + ++ /* schedule an event */ ++ if(temp_downtime->fixed == FALSE) ++ event_time = (time_t)((unsigned long)time(NULL) + temp_downtime->duration); ++ else ++ event_time = temp_downtime->end_time; ++ if((new_downtime_id = (unsigned long *)malloc(sizeof(unsigned long)))) { ++ *new_downtime_id = temp_downtime->downtime_id; ++ schedule_new_event(EVENT_SCHEDULED_DOWNTIME, TRUE, event_time, FALSE, 0, NULL, FALSE, (void *)new_downtime_id, NULL, 0); ++ } ++ return OK; ++ } + + /* have we come to the end of the scheduled downtime? */ + if(temp_downtime->is_in_effect == TRUE) { +-- +1.8.2 +
Attachment:
signature.asc
Description: OpenPGP digital signature