Univention Bugzilla – Bug 33822
nagios3: Multiple issues (3.3)
Last modified: 2017-08-31 13:03:04 CEST
+++ This bug was initially created as a clone of Bug #33821 +++ Denial of service in various CGI scripts (CVE-2013-7205, CVE-2013-7108) Cross-site request forgery (CVE-2013-7107)
These three issues have also been classified as "Minor issue" in Debian
The issues were classified as minor issues. Removing target milestone.
Upstream Debian Wheezy package version 3.4.1-3+deb7u3 fixes these issues: * MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796. (CVE-2016-9565) * base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. (CVE-2016-9566) Either we update to the UCS 3.3 package 3.2.1-2+squeeze1 to the wheezy version or we need to packport the patch.
Patches backported: CVE-2014-1878 CVE-2016-9566 Not affected by CVE-2016-9565. Advisory: nagios3.yaml
(In reply to Arvid Requate from comment #4) > Advisory: nagios3.yaml OK Tests (amd64): OK
<http://errata.software-univention.de/ucs/3.3/32.html>