Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1229008955.3477.43.camel@dhcp-lab-164.englab.brq.redhat.com>
Date: Thu, 11 Dec 2008 16:22:35 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Andreas Ericsson <ae@....se>, Eygene Ryabinkin <rea-sec@...elabs.ru>
Cc: oss-security@...ts.openwall.com, coley@...re.org
Subject: Re: CVE Request (nagios)

Hello guys,

  I can't follow this. Nagios 3.0.5 should fix two issues: 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027
Patch: ?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5028
Patch: http://git.op5.org/git/?p=nagios.git;a=commit;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764

So Nagios 3.0.6 Changelog: http://www.nagios.org/development/history/nagios-3x.php
"Fix for CGI submission of external commands (writing newlines and submitting service comments)"
is only part of CVE-2008-5027, which hasn't been committed to Nagios 3.0.5?

And patch for:
"Disabled adaptive check and eventhandler commands for security reasons" (also from 3.0.6 Changelog)
is: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&amp;r2=1.110&amp;pathrev=MAIN

Is this also part of "incomplete" fix for CVE-2008-5027 in 3.0.5?
i.e. nothing security related was fixed in 3.0.6 and all the
changes committed are only due late upstream committing of patches
for CVE-2008-502{7,8}?

Thanks!, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.