Hello community,
here is the log from the commit of package icinga for openSUSE:Factory checked
in at 2017-12-05 01:29:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/icinga (Old)
and /work/SRC/openSUSE:Factory/.icinga.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "icinga"
Tue Dec 5 01:29:49 2017 rev:57 rq:547324 version:1.14.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/icinga/icinga.changes 2017-11-27
22:19:04.561186788 +0100
+++ /work/SRC/openSUSE:Factory/.icinga.new/icinga.changes 2017-12-05
01:29:50.510162307 +0100
@@ -1,0 +2,9 @@
+Fri Dec 1 21:24:18 UTC 2017 - l...@linux-schulserver.de
+
+- fix a possible symlink attack for files/dirs created by root
+ fixes CVE-2016-8641 (bsc#1011630 and bsc#1018047)
+- the update to 1.14.0 also fixed boo#952777
+- remove the pre-configured administrative account with fixed
+ password for the WebUI - CVE-2016-0726 (boo#961115)
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ icinga.spec ++++++
--- /var/tmp/diff_new_pack.mQkw8X/_old 2017-12-05 01:29:52.290097644 +0100
+++ /var/tmp/diff_new_pack.mQkw8X/_new 2017-12-05 01:29:52.294097498 +0100
@@ -397,8 +397,8 @@
# install logrotate rule
install -D -m 0644 icinga.logrotate %{buildroot}%{icinga_logrotatefile}
-# install sample htpasswd file
-install -D -m 0644 icinga.htpasswd %{buildroot}%{icinga_http_authfile}
+# install empty htpasswd file (see boo#961115)
+touch %{buildroot}%{icinga_http_authfile}
# create icinga localstatedir
install -d -m 0755 %{buildroot}%{icinga_localstatedir}
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.mQkw8X/_old 2017-12-05 01:29:52.374094592 +0100
+++ /var/tmp/diff_new_pack.mQkw8X/_new 2017-12-05 01:29:52.378094447 +0100
@@ -34,11 +34,12 @@
3. If you need or want the classic gui, install icinga-www. If you want plain
monitoring with icinga core and configure everything else by hand, you are
done.
-3.1 An example user icingaadmin with password icingaadmin is installed to
- /etc/icinga/htpasswd.users
+3.1 An empty htpasswd file is installed to
+ /etc/icinga/htpasswd.users
+ This allows the Apache server to run, but will not allow anyone to log in.
-3.1 Add a new basic auth user for apache:
- # htpasswd /etc/icinga/htpasswd.users youradmin
+3.2 Add a new basic auth user for apache:
+ # htpasswd /etc/icinga/htpasswd.users youradmin
4. Optional: install icinga-idoutils. Icinga Data Output Utils are necessary
for
various database backed guis such as Icinga Web or Icinga Reporting.
IDOUtils
++++++ rcicinga ++++++
--- /var/tmp/diff_new_pack.mQkw8X/_old 2017-12-05 01:29:52.602086309 +0100
+++ /var/tmp/diff_new_pack.mQkw8X/_new 2017-12-05 01:29:52.606086164 +0100
@@ -171,7 +171,7 @@
# create checkresult dir if missing
if [ ! -d "$check_result_path" ]; then
mkdir -p "$check_result_path"
- chown $icinga_user:$icinga_group "$check_result_path"
+ chown --no-dereference $icinga_user:$icinga_group
"$check_result_path"
chmod 775 "$check_result_path"
fi
if [ ! -d "$temp_path" ]; then
@@ -199,7 +199,7 @@
sleep 1
ICINGA_TIMEOUT=$(($ICINGA_TIMEOUT - 1))
done
- chgrp $icinga_cmdgrp "$command_file"
+ chgrp --no-dereference $icinga_cmdgrp "$command_file"
fi
else
echo "Error in configuration - please read $ICINGA_CFG_ERR_LOG"
