Package: nagios4 Version: 4.4.6-4.1 Severity: important Tags: security X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Dear Maintainer, the Nagios Core project recently patched a security vulnerability in its most recent version 4.5.12, published on 2026-03-25. The fixed vulnerability is a CSRF issue in the command CGI handler. The issue does not (yet?) have a CVE, which is probably why this go unnoticed. Please prepare a new version with the upstream fix, thanks! Fix commit: https://github.com/NagiosEnterprises/nagioscore/commit/e5ed38e53a5d65721520c7c67be0746d63da28cb Additional relevant commits that add a config option to get the old, insecure behavior back: https://github.com/NagiosEnterprises/nagioscore/pull/1055 Changelog mentioning the fix of the vulnerability: https://github.com/NagiosEnterprises/nagioscore/blob/nagios-4.5.12/Changelog Public disclosure, unfortunately no CVE: https://www.nagios.com/security-disclosures/nagios-core/4-5-12/ -- System Information: Debian Release: 13.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.19.14-200.fc43.x86_64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages nagios4 depends on: ii nagios4-cgi 4.4.6-4.1 ii nagios4-common 4.4.6-4.1 ii nagios4-core 4.4.6-4.1 nagios4 recommends no packages. Versions of packages nagios4 suggests: pn nagios-nrpe-plugin <none> -- no debconf information
