Hello community, here is the log from the commit of package icinga for openSUSE:Factory checked in at 2017-12-05 01:29:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/icinga (Old) and /work/SRC/openSUSE:Factory/.icinga.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "icinga" Tue Dec 5 01:29:49 2017 rev:57 rq:547324 version:1.14.0 Changes: -------- --- /work/SRC/openSUSE:Factory/icinga/icinga.changes 2017-11-27 22:19:04.561186788 +0100 +++ /work/SRC/openSUSE:Factory/.icinga.new/icinga.changes 2017-12-05 01:29:50.510162307 +0100 @@ -1,0 +2,9 @@ +Fri Dec 1 21:24:18 UTC 2017 - l...@linux-schulserver.de + +- fix a possible symlink attack for files/dirs created by root + fixes CVE-2016-8641 (bsc#1011630 and bsc#1018047) +- the update to 1.14.0 also fixed boo#952777 +- remove the pre-configured administrative account with fixed + password for the WebUI - CVE-2016-0726 (boo#961115) + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ icinga.spec ++++++ --- /var/tmp/diff_new_pack.mQkw8X/_old 2017-12-05 01:29:52.290097644 +0100 +++ /var/tmp/diff_new_pack.mQkw8X/_new 2017-12-05 01:29:52.294097498 +0100 @@ -397,8 +397,8 @@ # install logrotate rule install -D -m 0644 icinga.logrotate %{buildroot}%{icinga_logrotatefile} -# install sample htpasswd file -install -D -m 0644 icinga.htpasswd %{buildroot}%{icinga_http_authfile} +# install empty htpasswd file (see boo#961115) +touch %{buildroot}%{icinga_http_authfile} # create icinga localstatedir install -d -m 0755 %{buildroot}%{icinga_localstatedir} ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.mQkw8X/_old 2017-12-05 01:29:52.374094592 +0100 +++ /var/tmp/diff_new_pack.mQkw8X/_new 2017-12-05 01:29:52.378094447 +0100 @@ -34,11 +34,12 @@ 3. If you need or want the classic gui, install icinga-www. If you want plain monitoring with icinga core and configure everything else by hand, you are done. -3.1 An example user icingaadmin with password icingaadmin is installed to - /etc/icinga/htpasswd.users +3.1 An empty htpasswd file is installed to + /etc/icinga/htpasswd.users + This allows the Apache server to run, but will not allow anyone to log in. -3.1 Add a new basic auth user for apache: - # htpasswd /etc/icinga/htpasswd.users youradmin +3.2 Add a new basic auth user for apache: + # htpasswd /etc/icinga/htpasswd.users youradmin 4. Optional: install icinga-idoutils. Icinga Data Output Utils are necessary for various database backed guis such as Icinga Web or Icinga Reporting. IDOUtils ++++++ rcicinga ++++++ --- /var/tmp/diff_new_pack.mQkw8X/_old 2017-12-05 01:29:52.602086309 +0100 +++ /var/tmp/diff_new_pack.mQkw8X/_new 2017-12-05 01:29:52.606086164 +0100 @@ -171,7 +171,7 @@ # create checkresult dir if missing if [ ! -d "$check_result_path" ]; then mkdir -p "$check_result_path" - chown $icinga_user:$icinga_group "$check_result_path" + chown --no-dereference $icinga_user:$icinga_group "$check_result_path" chmod 775 "$check_result_path" fi if [ ! -d "$temp_path" ]; then @@ -199,7 +199,7 @@ sleep 1 ICINGA_TIMEOUT=$(($ICINGA_TIMEOUT - 1)) done - chgrp $icinga_cmdgrp "$command_file" + chgrp --no-dereference $icinga_cmdgrp "$command_file" fi else echo "Error in configuration - please read $ICINGA_CFG_ERR_LOG"