oss-sec mailing list archives
Re: CVE Request (nagios)
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Mon, 8 Dec 2008 15:57:46 +0300
Jan, good day. Mon, Dec 08, 2008 at 01:21:45PM +0100, Jan Lieskovsky wrote:
diffing your version (3.0.5p1) and the latest upstream one (3.0.6) returns the following (this commit was posted on 2008-11-30): diff -r /tmp/3.0.5p1/nagios-3.0.5p1/base/commands.c /tmp/nagios_latest/nagios-3.0.6/base/commands.c
[...]
2893a2896,2908/* SECURITY PATCH - disable these for the time being */ switch(cmd){ case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER: case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER: case CMD_CHANGE_HOST_EVENT_HANDLER: case CMD_CHANGE_SVC_EVENT_HANDLER: case CMD_CHANGE_HOST_CHECK_COMMAND: case CMD_CHANGE_SVC_CHECK_COMMAND: return ERROR; }And other vulnerability reports: http://www.nagios.org/news/#88 http://secunia.com/Advisories/32909/ Andreas, could you please confirm/disprove this patch was part of recent CVE-2008-{5027, 5028}? Seems it wasn't, but can be wrong.
Hmm, this seems to be unrelated to CVE-2008-5027, but it may be the upstream fix for CSRF: judging by the contents of http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764 the original patch from Tim Starling should introduce at least 'csrf' word into cgi/cmd.c. And I am failing to find one in the latest version, http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/cmd.c?revision=1.47&view=markup So either it was fixed in the completely different way or it is the quick fix to prevent CSRFs for the eventhandler mangling commands. It is a bit strange that it was done after 3.0.5 (CSRF was documented in 3.0.5 release notes), but... By the way, entry for CVE-2008-5028 speaks about 3.0.5 as about the vulnerable to the CSRF and it is inconsistent with the release notes at http://www.nagios.org/development/history/nagios-3x.php. Clarifications are desperately needed ;)) -- Eygene
Current thread:
- CVE Request (nagios) Josh Bressers (Dec 05)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 11)
- Re: CVE Request (nagios) Steven M. Christey (Dec 16)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)