oss-sec mailing list archives
Re: CVE Request (nagios)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 08 Dec 2008 13:21:45 +0100
Hello Andreas, Eygene, diffing your version (3.0.5p1) and the latest upstream one (3.0.6) returns the following (this commit was posted on 2008-11-30): diff -r /tmp/3.0.5p1/nagios-3.0.5p1/base/commands.c /tmp/nagios_latest/nagios-3.0.6/base/commands.c 5,6c5,6 < * Copyright (c) 1999-2008 Ethan Galstad (nagios () nagios org) < * Last Modified: 10-15-2008 ---
* Copyright (c) 1999-2008 Ethan Galstad (egalstad () nagios org) * Last Modified: 11-30-2008
1188a1189
break;
1191a1193
break;
2893a2896,2908
/* SECURITY PATCH - disable these for the time being */
switch(cmd){
case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
case CMD_CHANGE_HOST_EVENT_HANDLER:
case CMD_CHANGE_SVC_EVENT_HANDLER:
case CMD_CHANGE_HOST_CHECK_COMMAND:
case CMD_CHANGE_SVC_CHECK_COMMAND:
return ERROR;
}
The relevant upstream commit is here: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110&pathrev=MAIN And other vulnerability reports: http://www.nagios.org/news/#88 http://secunia.com/Advisories/32909/ Andreas, could you please confirm/disprove this patch was part of recent CVE-2008-{5027, 5028}? Seems it wasn't, but can be wrong. Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request (nagios) Josh Bressers (Dec 05)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 11)
- Re: CVE Request (nagios) Steven M. Christey (Dec 16)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)