LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: Nagios3 vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability. If an authenticated nagios user were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands to be processed by Nagios and execute arbitrary programs. This update alters Nagios behaviour by disabling submission of CMD_CHANGE commands. (CVE-2008-5028)
===========================================================
Ubuntu Security Notice USN-698-2          December 22, 2008
nagios3 vulnerabilities
CVE-2008-5027, CVE-2008-5028
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  nagios3                         3.0.2-1ubuntu1.1

After a standard system upgrade you need to restart Nagios to effect
the necessary changes.

Details follow:

It was discovered that Nagios was vulnerable to a Cross-site request forgery
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE commands.
(CVE-2008-5028)

It was discovered that Nagios did not properly parse commands submitted using
the web interface. An authenticated user could use a custom form or a browser
addon to bypass security restrictions and submit unauthorized commands.
(CVE-2008-5027)


Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1.diff.gz
      Size/MD5:    38086 84020bf2660e52ef176a2274971e4c1b
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1.dsc
      Size/MD5:     1644 868828fdabd748689e35083aa052a483
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2.orig.tar.gz
      Size/MD5:  2759331 008d71aac08660bc007f7130ea82ab80

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-common_3.0.2-1ubuntu1.1_all.deb
      Size/MD5:    72216 1cccb3e8640dbd2612caf7841ae1756b
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-doc_3.0.2-1ubuntu1.1_all.deb
      Size/MD5:  2063224 9769666c13c1d886228f66ff40dc729a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_amd64.deb
      Size/MD5:  2660164 381e889f994b102f6e65acc67f032f7a
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_amd64.deb
      Size/MD5:  1538712 8ce98eee89e13bc544180c73c9d24ba0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_i386.deb
      Size/MD5:  2429130 87889b6dc28b86c4aae3d0acdd9950e9
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_i386.deb
      Size/MD5:  1387398 ec353697aced7539893ef9409d850120

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_lpia.deb
      Size/MD5:  2479724 433504296b1650a7d393ab28d9b264b7
    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_lpia.deb
      Size/MD5:  1376480 be232a1c16b5daff63b586f2cd66b9eb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_powerpc.deb
      Size/MD5:  2630802 167b533ea10d8962df5bc5904133c067
    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_powerpc.deb
      Size/MD5:  1525154 0679044c20e6a53c9311f2670834035b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3-dbg_3.0.2-1ubuntu1.1_sparc.deb
      Size/MD5:  2327204 f40329c8a8216799a365d185bcc2a646
    http://ports.ubuntu.com/pool/main/n/nagios3/nagios3_3.0.2-1ubuntu1.1_sparc.deb
      Size/MD5:  1379752 04408878bff9de5f485c7da2c6ffde4d



--=-mYyGRrkIRz8XgQEsC6l+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAklPpfgACgkQLMAs/0C4zNpDNQCghNyH1tzwJKxy8CXSiIIzUXFQ
NHYAoIRdJ1EZWi6MB04DPzzobx3KG9TE
=gM9K
-----END PGP SIGNATURE-----

--=-mYyGRrkIRz8XgQEsC6l+--



--==============r03303522161523901=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============r03303522161523901==--
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Canadians arrest a Heartbleed hacker
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.