Date: Mon, 23 Dec 2013 19:19:25 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: denial of service in Nagios (process_cgivars()) Hi Vincent, On Mon, Dec 23, 2013 at 10:55:35AM -0700, Vincent Danen wrote: > Could a CVE be assigned to the following flaw? > > A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service. This vulnerability is caused due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI. > > References: > https://secunia.com/advisories/55976/ > http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/ > https://bugs.gentoo.org/show_bug.cgi?id=495132 > https://bugzilla.redhat.com/show_bug.cgi?id=1046113 Only a cross reference (not saying it should get the same CVE): This seems to be the equivalent to the icinga issue , which got CVE-2013-7108.  https://dev.icinga.org/issues/5251 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.