Hello community, here is the log from the commit of package nagios for openSUSE:Factory checked in at 2017-12-05 01:29:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nagios (Old) and /work/SRC/openSUSE:Factory/.nagios.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nagios" Tue Dec 5 01:29:43 2017 rev:4 rq:547323 version:4.3.4 Changes: -------- --- /work/SRC/openSUSE:Factory/nagios/nagios.changes 2017-10-17 01:53:21.328080958 +0200 +++ /work/SRC/openSUSE:Factory/.nagios.new/nagios.changes 2017-12-05 01:29:47.866258358 +0100 @@ -1,0 +2,9 @@ +Fri Dec 1 22:19:07 UTC 2017 - [email protected] + +- fix a possible symlink attack for files/dirs created by root + fixes CVE-2016-8641 (bsc#1011630 and bsc#1018047) +- remove the pre-configured administrative account with fixed + password from the htpasswd file and provide an empty one instead + (fixes boo#961115 - CVE-2016-0726) + +------------------------------------------------------------------- Old: ---- nagios-htpasswd.users ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nagios.spec ++++++ --- /var/tmp/diff_new_pack.0Lgsz6/_old 2017-12-05 01:29:49.934183232 +0100 +++ /var/tmp/diff_new_pack.0Lgsz6/_new 2017-12-05 01:29:49.938183086 +0100 @@ -36,7 +36,6 @@ Source4: suse.de-nagios Source5: nagios.8 Source6: nagiosstats.8 -Source7: nagios-htpasswd.users Source8: upgrade_nagios.sh Source9: upgrade_nagios.8 Source10: %{name}-README.SuSE @@ -352,8 +351,8 @@ install -D -m 0644 %{SOURCE3} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} # install cronjob (gzip' the logfiles) install -D -m 0755 %{SOURCE4} %{buildroot}%{_sysconfdir}/cron.weekly/%{name} -# install htpasswd file -install -m 0640 %{SOURCE7} %{buildroot}%{_sysconfdir}/%{name}/htpasswd.users +# install empty htpasswd file (boo#961115) +touch %{buildroot}%{_sysconfdir}/%{name}/htpasswd.users # important ghost files touch %{buildroot}%{nagios_state_retention_file} touch %{buildroot}%{nagios_status_file} ++++++ nagios-README.SuSE ++++++ --- /var/tmp/diff_new_pack.0Lgsz6/_old 2017-12-05 01:29:49.986181343 +0100 +++ /var/tmp/diff_new_pack.0Lgsz6/_new 2017-12-05 01:29:49.986181343 +0100 @@ -18,7 +18,7 @@ * htpasswd2 -c SYSCONFDIR/htpasswd.users nagiosadmin * And set the correct rights for this file: * chmod 640 SYSCONFDIR/htpasswd.users -* chown root:www SYSCONFDIR/htpasswd.users +* chown --no-dereference root:www SYSCONFDIR/htpasswd.users * * You should also add a mail alias for the nagiosadmin to your * /etc/aliases file like: ++++++ nagios-exec-start-pre ++++++ --- /var/tmp/diff_new_pack.0Lgsz6/_old 2017-12-05 01:29:50.002180762 +0100 +++ /var/tmp/diff_new_pack.0Lgsz6/_new 2017-12-05 01:29:50.006180616 +0100 @@ -54,7 +54,7 @@ if [ ! -e "$file" ]; then touch "$file" fi - chown ${nagios_user}:${nagios_cmdgrp} "$file" + chown --no-dereference ${nagios_user}:${nagios_cmdgrp} "$file" done for dir in "$check_result_path" $(dirname "$status_file"); do install -d -m755 -o${nagios_user} -g${nagios_cmdgrp} "$dir" @@ -76,4 +76,4 @@ ;; esac chmod 660 "$resource_file" -chown ${nagios_user}:${nagios_cmdgrp} "$resource_file" +chown --no-dereference ${nagios_user}:${nagios_cmdgrp} "$resource_file" ++++++ rcnagios ++++++ --- /var/tmp/diff_new_pack.0Lgsz6/_old 2017-12-05 01:29:50.106176983 +0100 +++ /var/tmp/diff_new_pack.0Lgsz6/_new 2017-12-05 01:29:50.106176983 +0100 @@ -83,16 +83,16 @@ if [ ! -e "$file" ]; then touch "$file" fi - chown $nagios_user:$nagios_cmdgrp "$file" + chown --no-dereference $nagios_user:$nagios_cmdgrp "$file" done for dir in "$check_result_path" $(dirname $status_file); do if [ ! -d "$dir" ]; then mkdir -p "$dir" fi - chown $nagios_user:$nagios_cmdgrp "$dir" + chown --no-dereference $nagios_user:$nagios_cmdgrp "$dir" done chmod 660 "$resource_file" - chown $nagios_user:$nagios_cmdgrp "$resource_file" + chown --no-dereference $nagios_user:$nagios_cmdgrp "$resource_file" } check_lock_file() { @@ -200,8 +200,8 @@ sleep 1 NAGIOS_TIMEOUT=$(($NAGIOS_TIMEOUT-1)) done - chgrp $nagios_cmdgrp "$command_file" - chown $nagios_user:$nagios_cmdgrp "$check_result_path" + chgrp --no-dereference $nagios_cmdgrp "$command_file" + chown --no-dereference $nagios_user:$nagios_cmdgrp "$check_result_path" fi else echo "Error in configuration - please read $NAGIOS_CFG_ERR_LOG"
