[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 08 Dec 2008 13:21:45 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: CVE Request (nagios)
Hello Andreas, Eygene,
diffing your version (3.0.5p1) and the latest upstream one (3.0.6)
returns the following (this commit was posted on 2008-11-30):
diff
-r /tmp/3.0.5p1/nagios-3.0.5p1/base/commands.c /tmp/nagios_latest/nagios-3.0.6/base/commands.c
5,6c5,6
< * Copyright (c) 1999-2008 Ethan Galstad (nagios@...ios.org)
< * Last Modified: 10-15-2008
---
> * Copyright (c) 1999-2008 Ethan Galstad (egalstad@...ios.org)
> * Last Modified: 11-30-2008
1188a1189
> break;
1191a1193
> break;
2893a2896,2908
>
> /* SECURITY PATCH - disable these for the time being */
> switch(cmd){
> case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
> case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_EVENT_HANDLER:
> case CMD_CHANGE_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_CHECK_COMMAND:
> case CMD_CHANGE_SVC_CHECK_COMMAND:
> return ERROR;
> }
>
>
The relevant upstream commit is here:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110&pathrev=MAIN
And other vulnerability reports:
http://www.nagios.org/news/#88
http://secunia.com/Advisories/32909/
Andreas, could you please confirm/disprove this patch was part of recent
CVE-2008-{5027, 5028}?
Seems it wasn't, but can be wrong.
Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
