Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1025.2
nagios
6 July 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: nagios2, nagios3
Publisher: Debian
Operating System: Debian GNU/Linux 4
Debian GNU/Linux 5
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Upgrade
CVE Names: CVE-2009-2288
Reference: ESB-2009.1016.2
Original Bulletin:
http://www.debian.org/security/2009/dsa-1825
Revision History: July 6 2009: Added OS Tags
July 6 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA-1825-1 security@debian.org
http://www.debian.org/security/ Nico Golde
July 3rd, 2009 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : nagios2, nagios3
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2288
It was discovered that the statuswml.cgi script of nagios, a monitoring
and management system for hosts, services and networks, is prone to a
command injection vulnerability. Input to the ping and traceroute parameters
of the script is not properly validated which allows an attacker to execute
arbitrary shell commands by passing a crafted value to these parameters.
For the oldstable distribution (etch), this problem has been fixed in
version 2.6-2+etch3 of nagios2.
For the stable distribution (lenny), this problem has been fixed in
version 3.0.6-4~lenny2 of nagios3.
For the testing distribution (squeeze), this problem has been fixed in
version 3.0.6-5 of nagios3.
For the unstable distribution (sid), this problem has been fixed in
version 3.0.6-5 of nagios3.
We recommend that you upgrade your nagios2/nagios3 packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2.diff.gz
Size/MD5 checksum: 38428 42d830b18bfdeb3292cc926c81e93611
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6.orig.tar.gz
Size/MD5 checksum: 2735504 900e3f4164f4b2a18485420eeaefe812
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2.dsc
Size/MD5 checksum: 1589 228a65351afe2ce6028c3e4b38a7dbd7
Architecture independent packages:
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-doc_3.0.6-4~lenny2_all.deb
Size/MD5 checksum: 2070624 a3d6285aa4ca170dff3ebc37c661a87f
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-common_3.0.6-4~lenny2_all.deb
Size/MD5 checksum: 76976 46391e4a013e6f4b9d22e7529f5836c2
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_alpha.deb
Size/MD5 checksum: 1652478 eeb78e031b3e0df336d473738bb849c3
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_alpha.deb
Size/MD5 checksum: 2256566 1691fcda957f56aa58d4a564249e3cc3
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_amd64.deb
Size/MD5 checksum: 1533972 c161bf872c5d5e08188ab30d0ea47acc
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_amd64.deb
Size/MD5 checksum: 2537724 75ea70e06091246d69457b3206e7dd57
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_arm.deb
Size/MD5 checksum: 2219494 fac6212f49e1645e5e562753f342ea73
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_arm.deb
Size/MD5 checksum: 1387152 40e50777dc68548be1cc4d9340074a78
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_armel.deb
Size/MD5 checksum: 1444282 639e4563d6009d69c6684117a4d252cd
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_armel.deb
Size/MD5 checksum: 2265242 a2874c655c74e88a52838fd0742544aa
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_hppa.deb
Size/MD5 checksum: 1557384 49575bfdb3ce7ade125e560586eae41f
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_hppa.deb
Size/MD5 checksum: 2362452 360e17eafca70d4124ef4aadb11498d1
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_i386.deb
Size/MD5 checksum: 1382416 bcce0eb86a0e94123b73650e49893193
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_i386.deb
Size/MD5 checksum: 2330734 1819c7189c5b97029fee9004879de07b
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_ia64.deb
Size/MD5 checksum: 2422520 70702e5b4d7363a9a1d4c03b0abf41c7
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_ia64.deb
Size/MD5 checksum: 2250320 904aeb68937da12928f594bba319eb6d
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_mips.deb
Size/MD5 checksum: 2510252 8fee75f656fcb82329f9a1fba8d9c80f
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_mips.deb
Size/MD5 checksum: 1403106 2e5454f24388aec81e74bfde59a861ed
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_mipsel.deb
Size/MD5 checksum: 2408904 5794b3ff1cc68160363c5f85145e8676
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_mipsel.deb
Size/MD5 checksum: 1400836 575acb755aa91460a3dcb46d839d29d7
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_powerpc.deb
Size/MD5 checksum: 1528612 9443fc222234b9c08515e3f68c0bd9db
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_powerpc.deb
Size/MD5 checksum: 2499118 19bec84cb0bbbd50e6074e5376d703e6
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_s390.deb
Size/MD5 checksum: 1395100 ed3894606ef6c2174cb8520aeca3d0bd
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_s390.deb
Size/MD5 checksum: 2460168 d5da0fe521f64a2b2306eaca4ab250b2
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_sparc.deb
Size/MD5 checksum: 2204680 2cf9f082cdfacbd93f7ea7f2ce756a56
http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_sparc.deb
Size/MD5 checksum: 1370882 60c41edc23d52753fe58c8884621279c
These files will probably be moved into the stable distribution on
its next update.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Debian (oldstable)
- - ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3.dsc
Size/MD5 checksum: 947 b9015c15569bb0a608729966e73eda3f
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3.diff.gz
Size/MD5 checksum: 28125 8c35b478b9731ce7f7bd7a08e22f551f
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6.orig.tar.gz
Size/MD5 checksum: 1734400 a032edba07bf389b803ce817e9406c02
Architecture independent packages:
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-doc_2.6-2+etch3_all.deb
Size/MD5 checksum: 1149448 9ed8464c5f69f3649d219df01d60dd42
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-common_2.6-2+etch3_all.deb
Size/MD5 checksum: 58848 9af8f3bbd8bb33bf43f5a65ba0498e48
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_alpha.deb
Size/MD5 checksum: 1698844 8ac4a327830b76ce635df9f27b40c31f
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_alpha.deb
Size/MD5 checksum: 1219946 74c451aba32bf1af3049fa4aa55aa7ba
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_amd64.deb
Size/MD5 checksum: 1097060 6efd47f2ee3ee8afad49427a2f834568
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_amd64.deb
Size/MD5 checksum: 1686050 510a3e84ffc77baa6ce8a24a7c6b3d68
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_arm.deb
Size/MD5 checksum: 1535814 5fe56d35cc5849cf95cedeacc6e0d818
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_arm.deb
Size/MD5 checksum: 1023254 5ab12797ff209d89e72f4e4f5fd7dcef
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_hppa.deb
Size/MD5 checksum: 1146854 9d15019fe7a9f12373a93bb6e1811a2b
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_hppa.deb
Size/MD5 checksum: 1618176 5ccce2b7366ca4491dc17a7984da0a71
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_i386.deb
Size/MD5 checksum: 1015296 0121ad8ec5839b0f86b0774245fbff54
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_i386.deb
Size/MD5 checksum: 1584546 8fa4ea83df2a32f2687d1f00f1f3fc21
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_ia64.deb
Size/MD5 checksum: 1709844 1d7b16f899f2da2b688abfb971debee2
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_ia64.deb
Size/MD5 checksum: 1618780 29a8a56b0d195ef1269c8b2d2fd9a866
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_mips.deb
Size/MD5 checksum: 1704724 b5af7087fe2d19b835c6815c58dae46e
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_mips.deb
Size/MD5 checksum: 1103170 ba8afb59a09a676000b35436156923c1
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_mipsel.deb
Size/MD5 checksum: 1102940 3e02e9d3518b2492f4cc8b778ffeb0dd
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_mipsel.deb
Size/MD5 checksum: 1659070 6d9cad7f7e2e7b1113e4199c3371caed
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_powerpc.deb
Size/MD5 checksum: 1087622 7115be653606065e657f644462bfa95f
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_powerpc.deb
Size/MD5 checksum: 1665826 f1e3a852b49cb7070bffec7b20e00bb5
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_s390.deb
Size/MD5 checksum: 1000928 5fd2eb71da07df47ea4a8ae186ee920b
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_s390.deb
Size/MD5 checksum: 1611830 ce74a264a7337e8b4db1d906738a351c
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch3_sparc.deb
Size/MD5 checksum: 987636 a421762c82f57aff30fc2bc5bccf4ab7
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch3_sparc.deb
Size/MD5 checksum: 1481982 0358d5ce2bc53cc013ccc4fcba751f56
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpOJ8YACgkQHYflSXNkfP9LTgCfRDvFuqJxU/KJUKFUvr36Ulp6
fBgAn0GIaSsu4ni/ifk4NeAaZ0QRyiOW
=rrNK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKUXQbNVH5XJJInbgRAuEmAJ999Zy11r018wL9f9fiu8jUeVAaVQCfXGXj
NKemCl1RU0n+YT67pYIxUgA=
=Nqm1
-----END PGP SIGNATURE-----