Bug 37088

Summary: nagios3: Multiple issues (4.1)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P1 CC: gohmann, requate
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-4-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description Moritz Muehlenhoff univentionstaff 2014-11-27 12:13:17 CET 
+++ This bug was initially created as a clone of Bug #33822 +++

Denial of service in various CGI scripts (CVE-2013-7205, CVE-2013-7108)
Cross-site request forgery (CVE-2013-7107)
Comment 1 Moritz Muehlenhoff univentionstaff 2014-11-27 12:13:38 CET 
CVE-2013-4214 isn't exploitable in UCS 4.0 due to kernel-based /tmp hardening
Comment 2 Arvid Requate univentionstaff 2015-05-06 18:24:19 CEST 
The first three issues have also been classified as "Minor issue" in Debian
Comment 3 Stefan Gohmann univentionstaff 2015-09-11 12:27:22 CEST 
Resetting target milestone because it has been classified as minor issue.
Comment 4 Arvid Requate univentionstaff 2016-05-23 14:14:28 CEST 
Upstream Debian package version 3.4.1-3+deb7u2 fixes this issue:

* A stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c
in Nagios allows remote attackers to cause a denial of service
(segmentation fault) via a long message to cmd.cgi(CVE-2014-1878)

The other issues above are not fixed.
Comment 5 Arvid Requate univentionstaff 2016-12-19 13:19:10 CET 
Upstream Debian package version 3.4.1-3+deb7u3 fixes these issues:

* MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796. (CVE-2016-9565)

* base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file.  NOTE: this can be leveraged by remote attackers using CVE-2016-9565. (CVE-2016-9566)
Comment 6 Arvid Requate univentionstaff 2016-12-19 16:40:16 CET 
Advisory: nagios3.yaml
Comment 7 Felix Botner univentionstaff 2016-12-20 17:44:43 CET 
OK - nagios3 3.4.1-3+deb7u3 with
     - CVE-2014-1878
     - CVE-2016-9565
     - CVE-2016-9566
OK - install/update
OK - YAML
Comment 8 Philipp Hahn univentionstaff 2016-12-21 15:32:49 CET 
<http://errata.software-univention.de/ucs/4.1/363.html>