Hello community, here is the log from the commit of package nagios for openSUSE:11.4 checked in at Wed Jul 6 18:36:37 CEST 2011.
-------- --- old-versions/11.4/all/nagios/nagios.changes 2010-10-06 22:25:41.000000000 +0200 +++ 11.4/nagios/nagios.changes 2011-07-05 13:43:49.000000000 +0200 @@ -1,0 +2,7 @@ +Sat Jul 2 09:43:53 UTC 2011 - [email protected] + +- added nagios-3.2.3-CVE-2011-1523.patch to fix + CVE-2011-1523 (bnc#682966) +- patch fixes also CVE-2011-2179 (bnc#697895) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/nagios Destination is old-versions/11.4/UPDATES/all/nagios calling whatdependson for 11.4-i586 New: ---- nagios-3.2.3-CVE-2011-1523.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nagios.spec ++++++ --- /var/tmp/diff_new_pack.JD8jtC/_old 2011-07-06 18:33:50.000000000 +0200 +++ /var/tmp/diff_new_pack.JD8jtC/_new 2011-07-06 18:33:50.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package nagios (Version 3.2.3) +# spec file for package nagios # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %define nnmmsg logger -t %{name}/rpm Summary: The Nagios Network Monitor Version: 3.2.3 -Release: 1 +Release: 3.<RELEASE4> License: GPLv2+ Group: System/Monitoring Url: http://www.nagios.org/ @@ -50,6 +50,8 @@ Patch3: nagios-fix_encoding_trends.cgi.patch # PATCH-FIX-UPSTREAM Fixes handling of forced checks Patch4: nagios-fix_forced_servicechecks.patch +# PATCH-FIX-UPSTREAM Fixes CVE-2011-1523 and CVE-2011-2179 +Patch5: nagios-3.2.3-CVE-2011-1523.patch # PATCH-FIX-UPSTREAM deleting comments removed more elements from the hashlist than it should (http://tracker.nagios.org/view.php?id=80) Patch7: nagios-3.2.1-delete_correct_comment.patch # PATCH-FIX-OPENSUSE openSUSE uses a special location for p1.pl @@ -183,6 +185,7 @@ %patch2 -p0 %patch3 -p0 %patch4 -p0 +%patch5 -p0 %patch7 -p0 %patch10 -p0 %patch11 -p0 @@ -317,6 +320,9 @@ %fdupes -s %{buildroot} %endif +%check +make test-perl + %clean %{__rm} -rf %{buildroot} ++++++ nagios-3.2.3-CVE-2011-1523.patch ++++++ Index: cgi/config.c =================================================================== --- cgi/config.c.orig +++ cgi/config.c @@ -2275,9 +2275,9 @@ void display_command_expansion(void){ if ((*to_expand)!='\0'){ arg_count[0]=0; - printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",command_args[0]); + printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",escape_string(command_args[0])); for (i=1;(i<MAX_COMMAND_ARGUMENTS)&&command_args[i];i++) - printf("!<FONT\n COLOR='%s'>%s</FONT>",hash_color(i),command_args[i]); + printf("!<FONT\n COLOR='%s'>%s</FONT>",hash_color(i),escape_string(command_args[i])); printf("\n</TD></TR>\n"); /* check all commands */ Index: cgi/statusmap.c =================================================================== --- cgi/statusmap.c.orig +++ cgi/statusmap.c @@ -2404,7 +2404,7 @@ void print_layer_url(int get_method){ for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){ if(get_method==TRUE) - printf("&layer=%s",temp_layer->layer_name); + printf("&layer=%s",escape_string(temp_layer->layer_name)); else printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name)); } Index: t/618cgisecurity.t =================================================================== --- /dev/null +++ t/618cgisecurity.t @@ -0,0 +1,23 @@ +#!/usr/bin/perl +# +# Check that you CGI security errors are fixed + +use warnings; +use strict; +use Test::More; +use FindBin qw($Bin); + +chdir $Bin or die "Cannot chdir"; + +my $topdir = "$Bin/.."; +my $cgi_dir = "$topdir/cgi"; + +plan 'no_plan'; + +my $output = `NAGIOS_CGI_CONFIG=etc/cgi.cfg REQUEST_METHOD=GET QUERY_STRING="layer=' style=xss:expression(alert('XSS')) '" $cgi_dir/statusmap.cgi`; +unlike( $output, qr/' style=xss:expression\(alert\('XSS'\)\) '/, "XSS injection not passed straight through" ); +like( $output, qr/' style=xss:expression(alert('XSS')) '/, "Expected escaping of quotes" ) || diag $output; + + +$output = `REMOTE_USER=nagiosadmin NAGIOS_CGI_CONFIG=etc/cgi.cfg REQUEST_METHOD=GET QUERY_STRING="type=command&expand=<body onload=alert(666)>" $cgi_dir/config.cgi`; +unlike( $output, qr/<body onload=alert\(666\)>/, "XSS injection not passed through" ) || diag ($output); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
