Nagios has been upgraded to fix this problem. We shouldn't have been
that vulnerable since you need to have a UGCS login to get to our nagios
page, but it's fixed either way.
Thanks, Joshua
Nico Golde wrote:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA-1825-1
security@...
>
http://www.debian.org/security/ Nico Golde
> July 3rd, 2009
http://www.debian.org/security/faq> --------------------------------------------------------------------------
>
> Package : nagios2, nagios3
> Vulnerability : insufficient input validation
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2009-2288
>
>
> It was discovered that the statuswml.cgi script of nagios, a monitoring
> and management system for hosts, services and networks, is prone to a
> command injection vulnerability. Input to the ping and traceroute
> parameters
> of the script is not properly validated which allows an attacker to
> execute
> arbitrary shell commands by passing a crafted value to these parameters.
>
>
> For the oldstable distribution (etch), this problem has been fixed in
> version 2.6-2+etch3 of nagios2.
>
> For the stable distribution (lenny), this problem has been fixed in
> version 3.0.6-4~lenny2 of nagios3.
>
> For the testing distribution (squeeze), this problem has been fixed in
> version 3.0.6-5 of nagios3.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 3.0.6-5 of nagios3.
>
>
> We recommend that you upgrade your nagios2/nagios3 packages.
--
To UNSUBSCRIBE, email to
debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact
listmaster@...
