Nagios has been upgraded to fix this problem. We shouldn't have been that vulnerable since you need to have a UGCS login to get to our nagios page, but it's fixed either way.
Thanks, Joshua Nico Golde wrote: > -------------------------------------------------------------------------- > Debian Security Advisory DSA-1825-1 [email protected] > http://www.debian.org/security/ Nico Golde > July 3rd, 2009 http://www.debian.org/security/faq > -------------------------------------------------------------------------- > > Package : nagios2, nagios3 > Vulnerability : insufficient input validation > Problem type : remote > Debian-specific: no > CVE ID : CVE-2009-2288 > > > It was discovered that the statuswml.cgi script of nagios, a monitoring > and management system for hosts, services and networks, is prone to a > command injection vulnerability. Input to the ping and traceroute > parameters > of the script is not properly validated which allows an attacker to > execute > arbitrary shell commands by passing a crafted value to these parameters. > > > For the oldstable distribution (etch), this problem has been fixed in > version 2.6-2+etch3 of nagios2. > > For the stable distribution (lenny), this problem has been fixed in > version 3.0.6-4~lenny2 of nagios3. > > For the testing distribution (squeeze), this problem has been fixed in > version 3.0.6-5 of nagios3. > > For the unstable distribution (sid), this problem has been fixed in > version 3.0.6-5 of nagios3. > > > We recommend that you upgrade your nagios2/nagios3 packages. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
