Your message dated Fri, 29 May 2026 23:07:09 +0000
with message-id <[email protected]>
and subject line Bug#1136340: fixed in nagios4 4.4.6-4+deb12u1
has caused the Debian Bug report #1136340,
regarding nagios4: CSRF vulnerability fixed upstream, unfixed in Debian
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136340
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nagios4
Version: 4.4.6-4.1
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Dear Maintainer,
the Nagios Core project recently patched a security vulnerability in its most
recent version 4.5.12, published on 2026-03-25. The fixed vulnerability is a
CSRF issue in the command CGI handler.
The issue does not (yet?) have a CVE, which is probably why this go unnoticed.
Please prepare a new version with the upstream fix, thanks!
Fix commit:
https://github.com/NagiosEnterprises/nagioscore/commit/e5ed38e53a5d65721520c7c67be0746d63da28cb
Additional relevant commits that add a config option to get the old, insecure
behavior back: https://github.com/NagiosEnterprises/nagioscore/pull/1055
Changelog mentioning the fix of the vulnerability:
https://github.com/NagiosEnterprises/nagioscore/blob/nagios-4.5.12/Changelog
Public disclosure, unfortunately no CVE:
https://www.nagios.com/security-disclosures/nagios-core/4-5-12/
-- System Information:
Debian Release: 13.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.14-200.fc43.x86_64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages nagios4 depends on:
ii nagios4-cgi 4.4.6-4.1
ii nagios4-common 4.4.6-4.1
ii nagios4-core 4.4.6-4.1
nagios4 recommends no packages.
Versions of packages nagios4 suggests:
pn nagios-nrpe-plugin <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: nagios4
Source-Version: 4.4.6-4+deb12u1
Done: Russell Stuart <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nagios4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Stuart <[email protected]> (supplier of updated nagios4
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2026 21:00:00 +1000
Source: nagios4
Architecture: source
Version: 4.4.6-4+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Russell Stuart <[email protected]>
Changed-By: Russell Stuart <[email protected]>
Closes: 1136340
Changes:
nagios4 (4.4.6-4+deb12u1) bookworm-security; urgency=high
.
* CSRF Security Fix backported from upstream 4.5.12 commit
e5ed38e53a5d65721520c7c67be0746d63da28cb (cgi/cmd.c and
html/index.php.in). See
https://www.nagios.com/security-disclosures/nagios-core/4-5-12/
for the upstream disclosure. No CVE assigned.
Closes: #1136340.
* This can break third party integrations that POST to cmd.cgi
without first setting NagFormId (the CSRF check fails). Upstream
PR 1055 has been added as a workaround - see README.Debian.
Checksums-Sha1:
5564b9896f087be1eabedaf15492a17ce925b500 2010 nagios4_4.4.6-4+deb12u1.dsc
d52e26d6a17ac70f01d87e9329b20436fff1f1a7 11333414 nagios4_4.4.6.orig.tar.gz
e151e480a654e4018a8ba87361d18811d9f98e5f 1096632
nagios4_4.4.6-4+deb12u1.debian.tar.xz
cfef5bfb261353ace6a9bcd0d830a597cafff506 11148
nagios4_4.4.6-4+deb12u1_amd64.buildinfo
Checksums-Sha256:
dce92264fe10671398116fca79bd1c7caf62a4f9afa1e9df7c8738d92507218e 2010
nagios4_4.4.6-4+deb12u1.dsc
ab0d5a52caf01e6f4dcd84252c4eb5df5a24f90bb7f951f03875eef54f5ab0f4 11333414
nagios4_4.4.6.orig.tar.gz
f195d76a7044a1d75a19eb24279eab543428f6e760c015573e27fb13fc079d1d 1096632
nagios4_4.4.6-4+deb12u1.debian.tar.xz
7fe8e196836c2465e84ab33b50f2e7dd623141740f8837228237d63a0d45724f 11148
nagios4_4.4.6-4+deb12u1_amd64.buildinfo
Files:
13fe88ad08520bfef307a9bd8bbfb855 2010 net optional nagios4_4.4.6-4+deb12u1.dsc
ba849e9487e13859381eb117127bfee2 11333414 net optional
nagios4_4.4.6.orig.tar.gz
a9509b8b0b989a2ae5bbf8d5b0c3badf 1096632 net optional
nagios4_4.4.6-4+deb12u1.debian.tar.xz
93e15cdeb0ec21ff558848fddb6538e9 11148 net optional
nagios4_4.4.6-4+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZqiOeH6lCkTWvjmorNSfiF5UUm4FAmoVXvgACgkQrNSfiF5U
Um6AAxAAwKI+/LRYFxSb31GVmKygwyUBNGnb4Pl5CHJ/9HBMORqsZBx1u5jBzNwO
TRWeq0Ub6FdvtK5r3OD1nUspudtnKc2itti7DYpAgUFHHKQ75G86pEUgBe2+QRie
XYRPeiquPvELiiO5nUcyToH/ZD3wkbwO7+fN2B6PS3jgSLeawJ3a35ukX+VJmkZJ
4D6czX0kVcxs8X1kBZnLS0uT8kxp/p0be5qyD9KnDckruyB77FYjRu7ylVkx+uUj
Mp4WGiLmi2jRg9UtF2HQl1R59l4rlPT1BO4M/P37Np+tl5rWWFSFN+bjzLRbtSGn
+iMZqswcfwsygsYS/0jQTbHO2/sm86xi6m2VI403vJNmBKF18j7wltrYSiBXxQT/
IMAOZxVurjhxtsAG/uqM5jaQ0MDqVQsurn1QaU+RhuyvlaXyICdD5k3T4Pql/+PV
U1RNI7DiNfO59aqfgFeXs+KdeSHHj6CpgHTlhVUVU9Usc+Vk7F13y9twYBW13vwf
/b7FDZ1PpMGmlkaPsicPYiZt83rKc0BoTLVuatPeUvkVqdTu00wbGPSAZ5fKHJsF
TGXd+mumA8EU70BQm8rLFNRA4UMdBbAhM20km3OgirlCS4e7edZRn325vnr4jZim
0uMjGAyaDUJ5XzmY1ixyszll0/3qA2nCsYW3NWJVz5Zslty6PRM=
=XrKS
-----END PGP SIGNATURE-----
pgpH_WjLOpFv_.pgp
Description: PGP signature
--- End Message ---
