Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 11 Dec 2008 16:22:35 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Andreas Ericsson <ae@....se>, Eygene Ryabinkin <rea-sec@...elabs.ru>
Cc: oss-security@...ts.openwall.com, coley@...re.org
Subject: Re: CVE Request (nagios)

Hello guys,

  I can't follow this. Nagios 3.0.5 should fix two issues: 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027
Patch: ?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5028
Patch: http://git.op5.org/git/?p=nagios.git;a=commit;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764

So Nagios 3.0.6 Changelog: http://www.nagios.org/development/history/nagios-3x.php
"Fix for CGI submission of external commands (writing newlines and submitting service comments)"
is only part of CVE-2008-5027, which hasn't been committed to Nagios 3.0.5?

And patch for:
"Disabled adaptive check and eventhandler commands for security reasons" (also from 3.0.6 Changelog)
is: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&amp;r2=1.110&amp;pathrev=MAIN

Is this also part of "incomplete" fix for CVE-2008-5027 in 3.0.5?
i.e. nothing security related was fixed in 3.0.6 and all the
changes committed are only due late upstream committing of patches
for CVE-2008-502{7,8}?

Thanks!, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ