Package: release.debian.org
Severity: normal
X-Debbugs-Cc: nag...@packages.debian.org
Control: affects -1 + src:nagvis
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package nagvis
The CVEs fixed in 1.9.47 were not marked no-dsa as I had expected.
[ Reason ]
The security team filed #1106686 to get the CVE fixes into trixie.
[ Impact ]
Unfixed security issues.
[ Tests ]
None
[ Risks ]
Low, has few users.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
N/A
unblock nagvis/1:1.9.47-1
Kind Regards,
Bas
diff -Nru nagvis-1.9.46/ChangeLog nagvis-1.9.47/ChangeLog
--- nagvis-1.9.46/ChangeLog 2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/ChangeLog 2025-05-23 08:56:15.000000000 +0200
@@ -1,3 +1,10 @@
+1.9.47
+ * FIX: Don't show complete backtrace if crashing. Now the backtrace is being
logged to the apache error log
+ * FIX: Fix potential XSS via WYSIWYG editor. Now the option to edit these
such elements is moved to a specific
+ permission and only administrators can use this editor per default.
(CVE-2024-47090)
+ * FIX: Fix possible livestatus injection via dynmaps (CVE-2024-38866) (#398
Thanks to Shortfinga)
+ (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L)
+
1.9.46
* Feature: add option to verify session cookie via curl. Before when having
allow_url_fopen
disabled, NagVis was not able to verify the session cookie. Now you can
use curl to verify
diff -Nru nagvis-1.9.46/debian/changelog nagvis-1.9.47/debian/changelog
--- nagvis-1.9.46/debian/changelog 2025-04-05 13:34:03.000000000 +0200
+++ nagvis-1.9.47/debian/changelog 2025-05-28 05:34:26.000000000 +0200
@@ -1,3 +1,19 @@
+nagvis (1:1.9.47-1) unstable; urgency=medium
+
+ * Team upload.
+ * Move from experimental to unstable.
+
+ -- Bas Couwenberg <sebas...@debian.org> Wed, 28 May 2025 05:34:26 +0200
+
+nagvis (1:1.9.47-1~exp1) experimental; urgency=medium
+
+ * Team upload.
+ * New upstream release.
+ Fixes: CVE-2024-38866 & CVE-2024-47090.
+ * Add Catalan debconf translation by Carles Pina i Estany.
+
+ -- Bas Couwenberg <sebas...@debian.org> Fri, 23 May 2025 15:10:32 +0200
+
nagvis (1:1.9.46-1) unstable; urgency=medium
* Team upload.
diff -Nru nagvis-1.9.46/debian/po/ca.po nagvis-1.9.47/debian/po/ca.po
--- nagvis-1.9.46/debian/po/ca.po 1970-01-01 01:00:00.000000000 +0100
+++ nagvis-1.9.47/debian/po/ca.po 2025-05-23 15:08:01.000000000 +0200
@@ -0,0 +1,72 @@
+# Catalan translation of nagvis's debconf messages
+# Copyright © 2025 Free Software Foundation, Inc.
+# This file is distributed under the same license as the nagvis package.
+# poc senderi <pocsend...@protonmail.com>, 2025.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: nagvis\n"
+"Report-Msgid-Bugs-To: nag...@packages.debian.org\n"
+"POT-Creation-Date: 2020-01-21 20:05+0100\n"
+"PO-Revision-Date: 2025-04-03 21:25+0200\n"
+"Last-Translator: poc senderi <pocsend...@protonmail.com>\n"
+"Language-Team: Catalan <debian-l10n-cata...@lists.debian.org>\n"
+"Language: ca\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 2.4.2\n"
+
+#. Type: select
+#. Choices
+#: ../nagvis.templates:2001
+msgid "shinken"
+msgstr "shinken"
+
+#. Type: select
+#. Description
+#: ../nagvis.templates:2002
+msgid "Monitoring suite used with NagVis:"
+msgstr "Suite de monitorització utilitzada amb el NagVis:"
+
+#. Type: select
+#. Description
+#: ../nagvis.templates:2002
+msgid ""
+"The NagVis package supports Icinga as well as Nagios, using the check-mk-"
+"live broker backend."
+msgstr ""
+"El paquet NagVis és compatible amb l'Icinga i amb el Nagios, utilitzant el "
+"dorsal intermediari «check-mk-live»."
+
+#. Type: select
+#. Description
+#: ../nagvis.templates:2002
+msgid ""
+"If you would like to use NagVis with a different backend or a different "
+"monitoring suite, please choose \"other\". You'll have to configure it "
+"manually."
+msgstr ""
+"Si voleu utilitzar el NagVis amb un dorsal diferent o amb una suite de "
+"monitorització diferent, trieu «other». S'haurà de configurar manualment."
+
+#. Type: boolean
+#. Description
+#: ../nagvis.templates:3001
+msgid "Delete NagVis data when purging the package?"
+msgstr "Voleu suprimir les dades del NagVis al purgar el paquet?"
+
+#. Type: boolean
+#. Description
+#: ../nagvis.templates:3001
+msgid ""
+"NagVis creates files in /var/{cache,lib}/nagvis and /etc/nagvis (for "
+"instance background images and map files), including a small database for "
+"authentification. If you don't need any of these files, they can be removed "
+"now, or you may want to keep them and clean up by hand later."
+msgstr ""
+"El NagVis crea fitxers a «/var/{cache,lib}/nagvis» i a «/etc/nagvis» (per "
+"exemple, imatges de fons i fitxers de mapa), incloent una petita base de "
+"dades per a l'autenticació. Si no necessiteu cap d'aquests fitxers, es "
+"poden eliminar ara, o també és possible que mantenir-los i fer neteja "
+"manualment més endavant."
diff -Nru nagvis-1.9.46/share/server/core/classes/CoreAuthorisationHandler.php
nagvis-1.9.47/share/server/core/classes/CoreAuthorisationHandler.php
--- nagvis-1.9.46/share/server/core/classes/CoreAuthorisationHandler.php
2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/classes/CoreAuthorisationHandler.php
2025-05-23 08:56:15.000000000 +0200
@@ -53,6 +53,7 @@
'createObject' => 'edit',
'deleteObject' => 'edit',
'addModify' => 'edit',
+ 'editHtml' => 'edit',
),
'Overview' => Array(
'getOverviewRotations' => 'view',
diff -Nru nagvis-1.9.46/share/server/core/classes/GlobalMapCfg.php
nagvis-1.9.47/share/server/core/classes/GlobalMapCfg.php
--- nagvis-1.9.46/share/server/core/classes/GlobalMapCfg.php 2025-04-04
18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/classes/GlobalMapCfg.php 2025-05-23
08:56:15.000000000 +0200
@@ -800,7 +800,7 @@
if(isset($params['source_file']))
unset($params['source_file']);
$param_values = $this->paramsToString($params);
- $cacheFile =
cfg('paths','var').'source-'.$this->name.'.cfg-'.$param_values.'-'.$this->isView.'-'.CONST_VERSION.'.cache';
+ $cacheFile =
cfg('paths','var').'source-'.$this->name.'.cfg-'.sha1($param_values.'-'.$this->isView.'-'.CONST_VERSION).'.cache';
$CACHE = new GlobalFileCache(array(), $cacheFile);
// 2a. Check if the cache file exists
diff -Nru nagvis-1.9.46/share/server/core/classes/ViewMapAddModify.php
nagvis-1.9.47/share/server/core/classes/ViewMapAddModify.php
--- nagvis-1.9.46/share/server/core/classes/ViewMapAddModify.php
2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/classes/ViewMapAddModify.php
2025-05-23 08:56:15.000000000 +0200
@@ -116,6 +116,11 @@
$perm_user = get_checkbox('perm_user');
$show_dialog = false;
+ global $AUTHORISATION;
+ if(!$AUTHORISATION->isPermitted('Map', 'editHtml', '*')) {
+ throw new NagVisException(l('Cannot edit HTML. Please contact your
administrator'));
+ }
+
// Modification/Creation?
// The object_id is known on modification. When it is not known 'type'
is set
// to create new objects
diff -Nru nagvis-1.9.46/share/server/core/defines/global.php
nagvis-1.9.47/share/server/core/defines/global.php
--- nagvis-1.9.46/share/server/core/defines/global.php 2025-04-04
18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/defines/global.php 2025-05-23
08:56:15.000000000 +0200
@@ -23,7 +23,7 @@
*****************************************************************************/
// NagVis Version
-define('CONST_VERSION', '1.9.46');
+define('CONST_VERSION', '1.9.47');
// Set PHP error handling to standard level
// Different levels for php versions below 5.1 because PHP 5.1 reports
diff -Nru nagvis-1.9.46/share/server/core/functions/html.php
nagvis-1.9.47/share/server/core/functions/html.php
--- nagvis-1.9.46/share/server/core/functions/html.php 2025-04-04
18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/functions/html.php 2025-05-23
08:56:15.000000000 +0200
@@ -271,6 +271,11 @@
if (submitted($form_name))
$default = post($name, $default);
+ global $AUTHORISATION;
+ if(!$AUTHORISATION->isPermitted('Map', 'editHtml', '*')) {
+ echo '<b>Cannot edit HTML. Please contact your administrator.</b>';
+ return;
+ }
// plain <textarea>
echo '<textarea id="textarea_'.$name.'"
name="'.$name.'"'.$class.$style.'>'.escape_html($default).'</textarea>'.N;
diff -Nru nagvis-1.9.46/share/server/core/functions/nagvisErrorHandler.php
nagvis-1.9.47/share/server/core/functions/nagvisErrorHandler.php
--- nagvis-1.9.46/share/server/core/functions/nagvisErrorHandler.php
2025-04-04 18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/functions/nagvisErrorHandler.php
2025-05-23 08:56:15.000000000 +0200
@@ -37,7 +37,9 @@
echo $OBJ;
} else {
echo "Error (".get_class($OBJ)."): ".$OBJ->getMessage();
- var_dump(debug_backtrace());
+ echo "<br>";
+ echo "For more information check the apache error log.";
+ error_log(print_r(debug_backtrace(), true));
}
die();
diff -Nru nagvis-1.9.46/share/server/core/sources/dynmap.php
nagvis-1.9.47/share/server/core/sources/dynmap.php
--- nagvis-1.9.46/share/server/core/sources/dynmap.php 2025-04-04
18:02:07.000000000 +0200
+++ nagvis-1.9.47/share/server/core/sources/dynmap.php 2025-05-23
08:56:15.000000000 +0200
@@ -7,7 +7,7 @@
$objects = array();
$type = $p['dynmap_object_types'];
- $filter = str_replace('\n', "\n", $p['dynmap_object_filter']);
+ $filter = preg_replace('/(\\\\n)+/', "\n", $p['dynmap_object_filter']);
foreach($MAPCFG->getValue(0, 'backend_id') AS $backend_id) {
$ret = $_BACKEND->getBackend($backend_id)->getObjects($type, '', '',
$filter);
// only use the internal names
