Re: CVE Request (nagios)

[Jan Lieskovsky <jlieskov () redhat com>]

Hello guys,

  I can't follow this. Nagios 3.0.5 should fix two issues: 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027
Patch: ?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5028
Patch: http://git.op5.org/git/?p=nagios.git;a=commit;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764

So Nagios 3.0.6 Changelog: http://www.nagios.org/development/history/nagios-3x.php
"Fix for CGI submission of external commands (writing newlines and submitting service comments)"
is only part of CVE-2008-5027, which hasn't been committed to Nagios 3.0.5?

And patch for:
"Disabled adaptive check and eventhandler commands for security reasons" (also from 3.0.6 Changelog)
is: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110&pathrev=MAIN

Is this also part of "incomplete" fix for CVE-2008-5027 in 3.0.5?
i.e. nothing security related was fixed in 3.0.6 and all the
changes committed are only due late upstream committing of patches
for CVE-2008-502{7,8}?

Thanks!, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team