Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1288 New nagios2 packages fix regression 15 September 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nagios2 Publisher: Debian Operating System: Debian GNU/Linux 4 UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2008-1360 CVE-2007-5803 CVE-2007-5624 Reference: ESB-2009.1279 Original Bulletin: http://www.debian.org/security/2009/dsa-1883 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running nagios2 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1883-2 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 14, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : nagios2 Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE Ids : CVE-2007-5624 CVE-2007-5803 CVE-2008-1360 Debian Bugs : 448371 482445 485439 The previous nagios2 update introduced a regression, which caused status.cgi to segfault when used directly without specifying the 'host' variable. This update fixes the problem. For reference the original advisory text follows. Several vulnerabilities have been found in nagios2, ahost/service/network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: Several cross-site scripting issues via several parameters were discovered in the CGI scripts, allowing attackers to inject arbitrary HTML code. In order to cover the different attack vectors, these issues have been assigned CVE-2007-5624, CVE-2007-5803 and CVE-2008-1360. For the oldstable distribution (etch), these problems have been fixed in version 2.6-2+etch5. The stable distribution (lenny) does not include nagios2 and nagios3 is not affected by these problems. The testing distribution (squeeze) and the unstable distribution (sid) do not contain nagios2 and nagios3 is not affected by these problems. We recommend that you upgrade your nagios2 packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Debian (oldstable) - - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5.diff.gz Size/MD5 checksum: 35726 1c9d7955bb59162fa82934ef12c53d73 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5.dsc Size/MD5 checksum: 948 93eeeb6eb5ba0d7d3d5c659f9cc762e4 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6.orig.tar.gz Size/MD5 checksum: 1734400 a032edba07bf389b803ce817e9406c02 Architecture independent packages: http://security.debian.org/pool/updates/main/n/nagios2/nagios2-common_2.6-2+etch5_all.deb Size/MD5 checksum: 59516 8edae60c2b64183afbd5b5c5c79df649 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-doc_2.6-2+etch5_all.deb Size/MD5 checksum: 1150060 c5b23e507b405aed13e6148381a5161f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_alpha.deb Size/MD5 checksum: 1222220 33fac2a26d60b48a2e3d6cc03ef161f2 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_alpha.deb Size/MD5 checksum: 1703082 685386628adefdea4ef139d8d073be57 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_amd64.deb Size/MD5 checksum: 1688192 fdc3c934dc4e0afa728d9789fc1071aa http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_amd64.deb Size/MD5 checksum: 1098470 c08807062733811fa047eb15d9727c82 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_arm.deb Size/MD5 checksum: 1025042 a9d7fa95c7eac54287a2e73478ea3ba6 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_arm.deb Size/MD5 checksum: 1537944 59b06b0f6ae1061d01a7f1a7b85fb4b4 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_hppa.deb Size/MD5 checksum: 1621998 07cca557bc05cb0f4845f05c0d2b9311 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_hppa.deb Size/MD5 checksum: 1148900 d5b10578c95a21ce66ff11cc5a870047 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_i386.deb Size/MD5 checksum: 1587914 84dcc6957ce50c2b6e7ff243d21b5e8d http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_i386.deb Size/MD5 checksum: 1017162 d57c40f4621e185fee5fe0bbd814b7d5 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_ia64.deb Size/MD5 checksum: 1623636 7abc0f025330c87d2c7a9b4bf3252d16 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_ia64.deb Size/MD5 checksum: 1711368 59bd21369a4a978d1509fe15f7b59349 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_mipsel.deb Size/MD5 checksum: 1663800 7fae1ba19b03ab963b9a4dfa2055cfc5 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_mipsel.deb Size/MD5 checksum: 1104990 2536c8ff0b839a7028fc605b2f2faab8 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_powerpc.deb Size/MD5 checksum: 1667892 06826d82ff58171d82bdee8c3eb32b61 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_powerpc.deb Size/MD5 checksum: 1088416 0552ad5628f45dd8a0e69d0f126a40b1 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_sparc.deb Size/MD5 checksum: 1485348 46f02971253b25e3e9622bc95863d022 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_sparc.deb Size/MD5 checksum: 988288 d289d9b68334c7c5a1486771136cac4c These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkquV9MACgkQ62zWxYk/rQeIDACfQYbt5mrdv8WsxrF9XedJoFuk pRIAnjQKB2pY0CtUeUQBLt+njobuqbJJ =IyDf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKrs7ENVH5XJJInbgRAiGGAJsF1d2HYB+ri0lClBO6D5P/E1uBPACcC+X2 2hXIcxpPk3495jGmBmpwg4g= =Dta5 -----END PGP SIGNATURE-----