Re: [Sysadmins] [SECURITY] [DSA 1825-1] New nagios2/nagios3 packages fix arbitrary code execution
Nagios has been upgraded to fix this problem. We shouldn't have been
that vulnerable since you need to have a UGCS login to get to our nagios
page, but it's fixed either way.
Thanks, Joshua
Nico Golde wrote:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA-1825-1 security@debian.org
> http://www.debian.org/security/ Nico Golde
> July 3rd, 2009 http://www.debian.org/security/faq
> --------------------------------------------------------------------------
>
> Package : nagios2, nagios3
> Vulnerability : insufficient input validation
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2009-2288
>
>
> It was discovered that the statuswml.cgi script of nagios, a monitoring
> and management system for hosts, services and networks, is prone to a
> command injection vulnerability. Input to the ping and traceroute
> parameters
> of the script is not properly validated which allows an attacker to
> execute
> arbitrary shell commands by passing a crafted value to these parameters.
>
>
> For the oldstable distribution (etch), this problem has been fixed in
> version 2.6-2+etch3 of nagios2.
>
> For the stable distribution (lenny), this problem has been fixed in
> version 3.0.6-4~lenny2 of nagios3.
>
> For the testing distribution (squeeze), this problem has been fixed in
> version 3.0.6-5 of nagios3.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 3.0.6-5 of nagios3.
>
>
> We recommend that you upgrade your nagios2/nagios3 packages.
Reply to: