Package: nagios3 Severity: grave Tags: security patch Hi,
The following SA (Secunia Advisory) id was published for Nagios. SA32610[1]: > Andreas Ericsson has discovered a vulnerability in Nagios, which can be > exploited by malicious people to conduct cross-site request forgery > attacks. > > The application allows users to perform certain actions via HTTP requests > to "cmd.cgi" without performing any validity checks to verify the request. > This can be exploited to execute certain Nagios commands (e.g. to disable > notifications) when a logged-in administrator visits a malicious web site. > > The vulnerability is confirmed in version 3.0.5. Other versions may also be > affected. A proposed patch is available at [2]. If you fix the vulnerability please also make sure to include the SA id (or the CVE id when one is assigned) in the changelog entry. [1]http://secunia.com/Advisories/32610/ [2]http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18 Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.