Please remove Justin Bellmor from your listserve. Justin passed away
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -
> ---
> ---------------------------------------------------------------------
> Debian Security Advisory DSA-1883-2
security@...
>
http://www.debian.org/security/ Giuseppe Iuculano
> September 14, 2009
http://www.debian.org/security/faq> -
> ---
> ---------------------------------------------------------------------
>
> Package : nagios2
> Vulnerability : missing input sanitising
> Problem type : remote
> Debian-specific: no
> CVE Ids : CVE-2007-5624 CVE-2007-5803 CVE-2008-1360
> Debian Bugs : 448371 482445 485439
>
> The previous nagios2 update introduced a regression, which caused
> status.cgi to segfault when used directly without specifying the
> 'host'
> variable. This update fixes the problem. For reference the original
> advisory text follows.
>
>
> Several vulnerabilities have been found in nagios2, ahost/service/
> network
> monitoring and management system. The Common Vulnerabilities and
> Exposures project identifies the following problems:
>
>
> Several cross-site scripting issues via several parameters were
> discovered in the CGI scripts, allowing attackers to inject arbitrary
> HTML code. In order to cover the different attack vectors, these
> issues
> have been assigned CVE-2007-5624, CVE-2007-5803 and CVE-2008-1360.
>
>
>
> For the oldstable distribution (etch), these problems have been
> fixed in
> version 2.6-2+etch5.
>
> The stable distribution (lenny) does not include nagios2 and nagios3
> is
> not affected by these problems.
>
> The testing distribution (squeeze) and the unstable distribution (sid)
> do not contain nagios2 and nagios3 is not affected by these problems.
>
>
> We recommend that you upgrade your nagios2 packages.
>
>
> Upgrade instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 4.0 alias etch
> - -------------------------------
>
> Debian GNU/Linux 5.0 alias lenny
> - --------------------------------
>
> Debian (oldstable)
> - ------------------
>
> Oldstable updates are available for alpha, amd64, arm, hppa, i386,
> ia64, mips, mipsel, powerpc, s390 and sparc.
>
> Source archives:
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5.diff.gz> Size/MD5 checksum: 35726 1c9d7955bb59162fa82934ef12c53d73
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5.dsc> Size/MD5 checksum: 948 93eeeb6eb5ba0d7d3d5c659f9cc762e4
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6.orig.tar.gz> Size/MD5 checksum: 1734400 a032edba07bf389b803ce817e9406c02
>
> Architecture independent packages:
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-common_2.6-2+etch5_all.deb> Size/MD5 checksum: 59516 8edae60c2b64183afbd5b5c5c79df649
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-doc_2.6-2+etch5_all.deb> Size/MD5 checksum: 1150060 c5b23e507b405aed13e6148381a5161f
>
> alpha architecture (DEC Alpha)
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_alpha.deb> Size/MD5 checksum: 1222220 33fac2a26d60b48a2e3d6cc03ef161f2
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_alpha.deb> Size/MD5 checksum: 1703082 685386628adefdea4ef139d8d073be57
>
> amd64 architecture (AMD x86_64 (AMD64))
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_amd64.deb> Size/MD5 checksum: 1688192 fdc3c934dc4e0afa728d9789fc1071aa
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_amd64.deb> Size/MD5 checksum: 1098470 c08807062733811fa047eb15d9727c82
>
> arm architecture (ARM)
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_arm.deb> Size/MD5 checksum: 1025042 a9d7fa95c7eac54287a2e73478ea3ba6
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_arm.deb> Size/MD5 checksum: 1537944 59b06b0f6ae1061d01a7f1a7b85fb4b4
>
> hppa architecture (HP PA RISC)
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_hppa.deb> Size/MD5 checksum: 1621998 07cca557bc05cb0f4845f05c0d2b9311
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_hppa.deb> Size/MD5 checksum: 1148900 d5b10578c95a21ce66ff11cc5a870047
>
> i386 architecture (Intel ia32)
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_i386.deb> Size/MD5 checksum: 1587914 84dcc6957ce50c2b6e7ff243d21b5e8d
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_i386.deb> Size/MD5 checksum: 1017162 d57c40f4621e185fee5fe0bbd814b7d5
>
> ia64 architecture (Intel ia64)
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_ia64.deb> Size/MD5 checksum: 1623636 7abc0f025330c87d2c7a9b4bf3252d16
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_ia64.deb> Size/MD5 checksum: 1711368 59bd21369a4a978d1509fe15f7b59349
>
> mipsel architecture (MIPS (Little Endian))
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_mipsel.deb> Size/MD5 checksum: 1663800 7fae1ba19b03ab963b9a4dfa2055cfc5
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_mipsel.deb> Size/MD5 checksum: 1104990 2536c8ff0b839a7028fc605b2f2faab8
>
> powerpc architecture (PowerPC)
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_powerpc.deb> Size/MD5 checksum: 1667892 06826d82ff58171d82bdee8c3eb32b61
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_powerpc.deb> Size/MD5 checksum: 1088416 0552ad5628f45dd8a0e69d0f126a40b1
>
> sparc architecture (Sun SPARC/UltraSPARC)
>
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_sparc.deb> Size/MD5 checksum: 1485348 46f02971253b25e3e9622bc95863d022
>
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_sparc.deb> Size/MD5 checksum: 988288 d289d9b68334c7c5a1486771136cac4c
>
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> -
> ---
> ---
> ---
> ---
> ---------------------------------------------------------------------
> For apt-get: deb
http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/
> updates/main
> Mailing list:
debian-security-announce@...
> Package info: `apt-cache show <pkg>' and
http://packages.debian.org/
> <pkg>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkquV9MACgkQ62zWxYk/rQeIDACfQYbt5mrdv8WsxrF9XedJoFuk
> pRIAnjQKB2pY0CtUeUQBLt+njobuqbJJ
> =IyDf
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to
debian-security-announce-REQUEST@...
> with a subject of "unsubscribe". Trouble? Contact
listmaster@...
>
with a subject of "unsubscribe". Trouble? Contact
