Alexander Wirt wrote: > Alexander Wirt schrieb am Friday, den 28. November 2008: > > Hi, > >> unfortunatly Nagios has some security bug which can lead to remote command >> execution under some very special circumstances. See [1] for more details. >> Upstream released 3.0.5 which addresses this issue and is fixes are very >> intrusive and not easy to backport since they change many things in the cgi >> (they introduce some kind of session handling) code. I tried to backport it >> but failed after a few hours with a big, not working patch. So I decided to >> try to get 3.0.5 into debian. The patch is pretty big, but nearly everything >> are documentation, bug and security fixes (see the changelog entrys [2]). >> >> I attached a patch from nagios-3.0.3-4 to nagios-3.0.5-1. If this is not >> acceptable for the releaseteam somebody else with more knowledge in C should >> provide a proper fix. To get the diff a little bit shorter I removed html/* >> and the debian po files from the diff. > In the meanwhile 3.0.6 got released with even more security fixes for the > cgi parts. I will provide a diff soon and ask for inclusion of 3.0.6 instead > of 3.0.5.
Please upload. cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
