Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1025.2 nagios 6 July 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nagios2, nagios3 Publisher: Debian Operating System: Debian GNU/Linux 4 Debian GNU/Linux 5 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Upgrade CVE Names: CVE-2009-2288 Reference: ESB-2009.1016.2 Original Bulletin: http://www.debian.org/security/2009/dsa-1825 Revision History: July 6 2009: Added OS Tags July 6 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA-1825-1 security@debian.org http://www.debian.org/security/ Nico Golde July 3rd, 2009 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : nagios2, nagios3 Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE ID : CVE-2009-2288 It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters. For the oldstable distribution (etch), this problem has been fixed in version 2.6-2+etch3 of nagios2. For the stable distribution (lenny), this problem has been fixed in version 3.0.6-4~lenny2 of nagios3. For the testing distribution (squeeze), this problem has been fixed in version 3.0.6-5 of nagios3. For the unstable distribution (sid), this problem has been fixed in version 3.0.6-5 of nagios3. We recommend that you upgrade your nagios2/nagios3 packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Debian (stable) - - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2.diff.gz Size/MD5 checksum: 38428 42d830b18bfdeb3292cc926c81e93611 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6.orig.tar.gz Size/MD5 checksum: 2735504 900e3f4164f4b2a18485420eeaefe812 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2.dsc Size/MD5 checksum: 1589 228a65351afe2ce6028c3e4b38a7dbd7 Architecture independent packages: http://security.debian.org/pool/updates/main/n/nagios3/nagios3-doc_3.0.6-4~lenny2_all.deb Size/MD5 checksum: 2070624 a3d6285aa4ca170dff3ebc37c661a87f http://security.debian.org/pool/updates/main/n/nagios3/nagios3-common_3.0.6-4~lenny2_all.deb Size/MD5 checksum: 76976 46391e4a013e6f4b9d22e7529f5836c2 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_alpha.deb Size/MD5 checksum: 1652478 eeb78e031b3e0df336d473738bb849c3 http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_alpha.deb Size/MD5 checksum: 2256566 1691fcda957f56aa58d4a564249e3cc3 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_amd64.deb Size/MD5 checksum: 1533972 c161bf872c5d5e08188ab30d0ea47acc http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_amd64.deb Size/MD5 checksum: 2537724 75ea70e06091246d69457b3206e7dd57 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_arm.deb Size/MD5 checksum: 2219494 fac6212f49e1645e5e562753f342ea73 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_arm.deb Size/MD5 checksum: 1387152 40e50777dc68548be1cc4d9340074a78 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_armel.deb Size/MD5 checksum: 1444282 639e4563d6009d69c6684117a4d252cd http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_armel.deb Size/MD5 checksum: 2265242 a2874c655c74e88a52838fd0742544aa hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_hppa.deb Size/MD5 checksum: 1557384 49575bfdb3ce7ade125e560586eae41f http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_hppa.deb Size/MD5 checksum: 2362452 360e17eafca70d4124ef4aadb11498d1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_i386.deb Size/MD5 checksum: 1382416 bcce0eb86a0e94123b73650e49893193 http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_i386.deb Size/MD5 checksum: 2330734 1819c7189c5b97029fee9004879de07b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_ia64.deb Size/MD5 checksum: 2422520 70702e5b4d7363a9a1d4c03b0abf41c7 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_ia64.deb Size/MD5 checksum: 2250320 904aeb68937da12928f594bba319eb6d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_mips.deb Size/MD5 checksum: 2510252 8fee75f656fcb82329f9a1fba8d9c80f http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_mips.deb Size/MD5 checksum: 1403106 2e5454f24388aec81e74bfde59a861ed mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_mipsel.deb Size/MD5 checksum: 2408904 5794b3ff1cc68160363c5f85145e8676 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_mipsel.deb Size/MD5 checksum: 1400836 575acb755aa91460a3dcb46d839d29d7 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_powerpc.deb Size/MD5 checksum: 1528612 9443fc222234b9c08515e3f68c0bd9db http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_powerpc.deb Size/MD5 checksum: 2499118 19bec84cb0bbbd50e6074e5376d703e6 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_s390.deb Size/MD5 checksum: 1395100 ed3894606ef6c2174cb8520aeca3d0bd http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_s390.deb Size/MD5 checksum: 2460168 d5da0fe521f64a2b2306eaca4ab250b2 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_sparc.deb Size/MD5 checksum: 2204680 2cf9f082cdfacbd93f7ea7f2ce756a56 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_sparc.deb Size/MD5 checksum: 1370882 60c41edc23d52753fe58c8884621279c These files will probably be moved into the stable distribution on its next update. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian (oldstable) - - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3.dsc Size/MD5 checksum: 947 b9015c15569bb0a608729966e73eda3f http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3.diff.gz Size/MD5 checksum: 28125 8c35b478b9731ce7f7bd7a08e22f551f http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6.orig.tar.gz Size/MD5 checksum: 1734400 a032edba07bf389b803ce817e9406c02 Architecture independent packages: http://security.debian.org/pool/updates/main/n/nagios2/nagios2-doc_2.6-2+etch3_all.deb Size/MD5 checksum: 1149448 9ed8464c5f69f3649d219df01d60dd42 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-common_2.6-2+etch3_all.deb Size/MD5 checksum: 58848 9af8f3bbd8bb33bf43f5a65ba0498e48 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_alpha.deb Size/MD5 checksum: 1698844 8ac4a327830b76ce635df9f27b40c31f http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_alpha.deb Size/MD5 checksum: 1219946 74c451aba32bf1af3049fa4aa55aa7ba amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_amd64.deb Size/MD5 checksum: 1097060 6efd47f2ee3ee8afad49427a2f834568 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_amd64.deb Size/MD5 checksum: 1686050 510a3e84ffc77baa6ce8a24a7c6b3d68 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_arm.deb Size/MD5 checksum: 1535814 5fe56d35cc5849cf95cedeacc6e0d818 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_arm.deb Size/MD5 checksum: 1023254 5ab12797ff209d89e72f4e4f5fd7dcef hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_hppa.deb Size/MD5 checksum: 1146854 9d15019fe7a9f12373a93bb6e1811a2b http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_hppa.deb Size/MD5 checksum: 1618176 5ccce2b7366ca4491dc17a7984da0a71 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_i386.deb Size/MD5 checksum: 1015296 0121ad8ec5839b0f86b0774245fbff54 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_i386.deb Size/MD5 checksum: 1584546 8fa4ea83df2a32f2687d1f00f1f3fc21 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_ia64.deb Size/MD5 checksum: 1709844 1d7b16f899f2da2b688abfb971debee2 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_ia64.deb Size/MD5 checksum: 1618780 29a8a56b0d195ef1269c8b2d2fd9a866 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_mips.deb Size/MD5 checksum: 1704724 b5af7087fe2d19b835c6815c58dae46e http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_mips.deb Size/MD5 checksum: 1103170 ba8afb59a09a676000b35436156923c1 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_mipsel.deb Size/MD5 checksum: 1102940 3e02e9d3518b2492f4cc8b778ffeb0dd http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_mipsel.deb Size/MD5 checksum: 1659070 6d9cad7f7e2e7b1113e4199c3371caed powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_powerpc.deb Size/MD5 checksum: 1087622 7115be653606065e657f644462bfa95f http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_powerpc.deb Size/MD5 checksum: 1665826 f1e3a852b49cb7070bffec7b20e00bb5 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_s390.deb Size/MD5 checksum: 1000928 5fd2eb71da07df47ea4a8ae186ee920b http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_s390.deb Size/MD5 checksum: 1611830 ce74a264a7337e8b4db1d906738a351c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_sparc.deb Size/MD5 checksum: 987636 a421762c82f57aff30fc2bc5bccf4ab7 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_sparc.deb Size/MD5 checksum: 1481982 0358d5ce2bc53cc013ccc4fcba751f56 - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpOJ8YACgkQHYflSXNkfP9LTgCfRDvFuqJxU/KJUKFUvr36Ulp6 fBgAn0GIaSsu4ni/ifk4NeAaZ0QRyiOW =rrNK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKUXQbNVH5XJJInbgRAuEmAJ999Zy11r018wL9f9fiu8jUeVAaVQCfXGXj NKemCl1RU0n+YT67pYIxUgA= =Nqm1 -----END PGP SIGNATURE-----