Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Jun 2014 16:24:16 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE requests: nagios check_dhcp plug-in: read parts of INI config
 files belonging to root

Good morning,

Dawid Golunski discovered a flaw in the Nagios check_dhcp plugin that
allows "Malicious user that has local access to a system where
check_dhcp plugin is installed with SUID could exploit  this
vulnerability to read any INI format config files owned by root and
potentially extract some sensitive information.":

http://seclists.org/fulldisclosure/2014/May/74

This was fixed in version 2.0.2:

<http://nagios-plugins.org/nagios-plugins-2-0-2-released/>

Dawid later reported a race condition. Despite the above fix, it was
still possible to read parts of root-owned files:

http://seclists.org/fulldisclosure/2014/Jun/141

This was fixed in version 2.0.3:

<http://nagios-plugins.org/nagios-plugins-2-0-3-released/>

Can CVEs please be assigned if they have not been already?

Thanks,

--
Murray McAllister / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ