Subject: [USN-698-2] Nagios3 vulnerabilities
From: Marc Deslauriers <marc.deslauriers@canonical.com.>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
X-Original-To: marc.deslauriers@cleanmail.canonical.com
X-Mailcontrol-Inbound:
uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xw=
X-Spam-Score: -4.2
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.69.0.121
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-mYyGRrkIRz8XgQEsC6l+"
Date: Mon, 22 Dec 2008 09:36:42 -0500
Message-Id: <1229956602.23276.9.camel@mdlinux.technorage.com.>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.2
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-mYyGRrkIRz8XgQEsC6l+
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-698-2 December 22, 2008
nagios3 vulnerabilities
CVE-2008-5027, CVE-2008-5028
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.10:
nagios3 3.0.2-1ubuntu1.1
After a standard system upgrade you need to restart Nagios to effect
the necessary changes.
Details follow:
It was discovered that Nagios was vulnerable to a Cross-site request forger=
y
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE comman=
ds.
(CVE-2008-5028)
It was discovered that Nagios did not properly parse commands submitted usi=
ng
the web interface. An authenticated user could use a custom form or a brows=
er
addon to bypass security restrictions and submit unauthorized commands.
(CVE-2008-5027)
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ub=
untu1.1.diff.gz
Size/MD5: 38086 84020bf2660e52ef176a2274971e4c1b
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ub=
untu1.1.dsc
Size/MD5: 1644 868828fdabd748689e35083aa052a483
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2.ori=
g.tar.gz
Size/MD5: 2759331 008d71aac08660bc007f7130ea82ab80
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-common_3.=
0.2-1ubuntu1.1_all.deb
Size/MD5: 72216 1cccb3e8640dbd2612caf7841ae1756b
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-doc_3.0.2=
-1ubuntu1.1_all.deb
Size/MD5: 2063224 9769666c13c1d886228f66ff40dc729a
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-dbg_3.0.2=
-1ubuntu1.1_amd64.deb
Size/MD5: 2660164 381e889f994b102f6e65acc67f032f7a
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ub=
untu1.1_amd64.deb
Size/MD5: 1538712 8ce98eee89e13bc544180c73c9d24ba0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-dbg_3.0.2=
-1ubuntu1.1_i386.deb
Size/MD5: 2429130 87889b6dc28b86c4aae3d0acdd9950e9
http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ub=
untu1.1_i386.deb
Size/MD5: 1387398 ec353697aced7539893ef9409d850120
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.=
1_lpia.deb
Size/MD5: 2479724 433504296b1650a7d393ab28d9b264b7
http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_lp=
ia.deb
Size/MD5: 1376480 be232a1c16b5daff63b586f2cd66b9eb
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.=
1_powerpc.deb
Size/MD5: 2630802 167b533ea10d8962df5bc5904133c067
http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_po=
werpc.deb
Size/MD5: 1525154 0679044c20e6a53c9311f2670834035b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.=
1_sparc.deb
Size/MD5: 2327204 f40329c8a8216799a365d185bcc2a646
http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_sp=
arc.deb
Size/MD5: 1379752 04408878bff9de5f485c7da2c6ffde4d
--=-mYyGRrkIRz8XgQEsC6l+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAklPpfgACgkQLMAs/0C4zNpDNQCghNyH1tzwJKxy8CXSiIIzUXFQ
NHYAoIRdJ1EZWi6MB04DPzzobx3KG9TE
=gM9K
-----END PGP SIGNATURE-----
--=-mYyGRrkIRz8XgQEsC6l+--
