oss-sec mailing list archives
Re: CVE Request (nagios)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 11 Dec 2008 16:22:35 +0100
Hello guys, I can't follow this. Nagios 3.0.5 should fix two issues: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027 Patch: ? http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5028 Patch: http://git.op5.org/git/?p=nagios.git;a=commit;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764 So Nagios 3.0.6 Changelog: http://www.nagios.org/development/history/nagios-3x.php "Fix for CGI submission of external commands (writing newlines and submitting service comments)" is only part of CVE-2008-5027, which hasn't been committed to Nagios 3.0.5? And patch for: "Disabled adaptive check and eventhandler commands for security reasons" (also from 3.0.6 Changelog) is: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110&pathrev=MAIN Is this also part of "incomplete" fix for CVE-2008-5027 in 3.0.5? i.e. nothing security related was fixed in 3.0.6 and all the changes committed are only due late upstream committing of patches for CVE-2008-502{7,8}? Thanks!, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- Re: CVE Request (nagios), (continued)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 11)
- Re: CVE Request (nagios) Steven M. Christey (Dec 16)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)