Hello community, here is the log from the commit of package nagios for openSUSE:Factory checked in at 2020-04-07 10:31:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nagios (Old) and /work/SRC/openSUSE:Factory/.nagios.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nagios" Tue Apr 7 10:31:53 2020 rev:17 rq:791853 version:4.4.5 Changes: -------- --- /work/SRC/openSUSE:Factory/nagios/nagios.changes 2020-02-04 19:55:08.405384130 +0100 +++ /work/SRC/openSUSE:Factory/.nagios.new.3248/nagios.changes 2020-04-07 10:32:45.342610710 +0200 @@ -1,0 +2,17 @@ +Mon Apr 6 15:55:26 UTC 2020 - l...@linux-schulserver.de - 4.4.5 + +- fix boo#1156309, CVE-2019-3698 : Symbolic Link (Symlink) following + vulnerability in the cronjob allows local attackers to cause cause + DoS or potentially escalate privileges by winning a race. +- enhance systemd service: check nagios config before reloading +- enable build for SLE11 by excluding some special macros and + directories via 'sles_version != 11' condition +- add nagios-archive.service and nagios-archive.timer as replacement + for the script in cron.weekly: no need for cron on systemd systems +- run set_permissions and verifyscript for /etc/cron.weekly on those + distributions that need it +- enhance rpmlint: ignore empty htpasswd file +- enable php apache module and not php5 on newer distributions +- try to harden the rcnagios script + +------------------------------------------------------------------- New: ---- nagios-archive.service nagios-archive.timer ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nagios.spec ++++++ --- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.638613702 +0200 +++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.642613707 +0200 @@ -49,6 +49,8 @@ Source11: %{name}-html-pages.tar.bz2 Source12: %{name}.service Source13: %{name}.tmpfiles +Source14: %{name}-archive.timer +Source15: %{name}-archive.service Source20: %{name}-rpmlintrc # PATCH-FIX-UPSTREAM unescape hex characters in CGI input - avoid addional '+' Patch3: nagios-fix_encoding_trends.cgi.patch @@ -87,6 +89,8 @@ BuildRequires: pkgconfig(systemd) Source100: nagios_systemd %{?systemd_ordering} +%else +Recommends: cron %endif Provides: monitoring_daemon BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -97,10 +101,10 @@ Requires(pre): %fillup_prereq %if 0%{?suse_version} < 01200 Requires(pre): %insserv_prereq +Requires: cron %endif Requires(pre): shadow Recommends: %{name}-www -Recommends: cron # this package contains shared tools with icinga Recommends: monitoring-tools Recommends: icinga-monitoring-tools @@ -355,7 +359,16 @@ # sysconfig script install -D -m 0644 %{SOURCE3} %{buildroot}%{_fillupdir}/sysconfig.%{name} # install cronjob (gzip' the logfiles) -install -D -m 0755 %{SOURCE4} %{buildroot}%{_sysconfdir}/cron.weekly/%{name} +%if %{with systemd} +sed -e 's|__NAGIOS_USER__|%{nagios_user}|g' \ + -e 's|__NAGIOS_GROUP__|%{nagios_group}|g' %{SOURCE4} > %{buildroot}%{_sbindir}/nagios-archive +install -Dm0644 %{SOURCE14} %{buildroot}/%{_unitdir}/nagios-archive.timer +install -Dm0644 %{SOURCE15} %{buildroot}/%{_unitdir}/nagios-archive.service +%else +mkdir %{buildroot}%{_sysconfdir}/cron.weekly +sed -e 's|__NAGIOS_USER__|%{nagios_user}|g' \ + -e 's|__NAGIOS_GROUP__|%{nagios_group}|g' %{SOURCE4} > %{buildroot}%{_sysconfdir}/cron.weekly/%{name} +%endif # install empty htpasswd file (boo#961115) touch %{buildroot}%{_sysconfdir}/%{name}/htpasswd.users # important ghost files @@ -410,7 +423,7 @@ fi fi %if %{with systemd} -%service_add_pre %{name}.service +%service_add_pre %{name}.service %{name}-archive.service %{name}-archive.timer %endif %post @@ -432,31 +445,39 @@ fi fi %if %{with systemd} -%service_add_post %{name}.service +%service_add_post %{name}.service %{name}-archive.service %{name}-archive.timer systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf %fillup_only %else %{fillup_and_insserv %{name}} +%if 0%{?sles_version} != 11 +%set_permissions /etc/cron.weekly/ +%endif +%endif +%if 0%{?sles_version} != 11 +%set_permissions /var/spool/nagios/ %endif -%set_permissions /var/spool/nagios %preun %if %{with systemd} -%service_del_preun %{name}.service +%service_del_preun %{name}.service %{name}-archive.service %{name}-archive.timer %else %stop_on_removal %{name} %endif %postun %if %{with systemd} -%service_del_postun %{name}.service +%service_del_postun %{name}.service %{name}-archive.service %{name}-archive.timer %else %restart_on_update %{name} %{insserv_cleanup} %endif %verifyscript -%verify_permissions -e /var/spool/nagios +%if ! %{with systemd} +%verify_permissions -e /etc/cron.weekly/ +%endif +%verify_permissions -e /var/spool/nagios/ %post www wwwusr=%{nagios_command_user} @@ -484,14 +505,18 @@ %{_sbindir}/a2enmod auth_basic >/dev/null %{_sbindir}/a2enmod authz_user >/dev/null %{_sbindir}/a2enmod version >/dev/null - # enable php5 in apache config - %{_sbindir}/a2enmod php5 + # enable php in apache config + %if 0%{?sle_version} == 120000 + %{_sbindir}/a2enmod php5 >/dev/null || : + %else + %{_sbindir}/a2enmod php >/dev/null || : + %endif fi -%if %{with systemd} -%{_bindir}/systemctl try-restart apache2 -%else -%restart_on_update apache2 -%endif + %if %{with systemd} + %{_bindir}/systemctl try-restart apache2 + %else + %restart_on_update apache2 + %endif fi %post www-dch @@ -535,13 +560,18 @@ %attr(0755,root,root) %{nagios_libdir}/%{name}-exec-start-pre %{_unitdir}/%{name}.service %{_prefix}/lib/tmpfiles.d/%{name}.conf +%attr(0755,root,root) %{_sbindir}/nagios-archive +%{_unitdir}/nagios-archive.timer +%{_unitdir}/nagios-archive.service %else %attr(0755,root,root) %{_sysconfdir}/init.d/%{name} %ghost %dir %{nslockfile_dir} %attr(0644,%{nagios_user},%{nagios_group}) %verify(not md5 size mtime) %ghost %config(missingok,noreplace) %{nslockfile} -%endif +%if 0%{?sles_version} != 11 %dir %{_sysconfdir}/cron.weekly +%endif %attr(0755,root,root) %{_sysconfdir}/cron.weekly/* +%endif %config(noreplace) %{nagios_sysconfdir}/*.cfg %config(noreplace) %{nagios_sysconfdir}/objects/*.cfg %ghost %config(missingok,noreplace) %{nagios_logdir}/config.err ++++++ nagios-archive.service ++++++ [Unit] Description=Auto-Archiving of Nagios Logfiles [Service] Type=oneshot ExecStart=/bin/bash -ce "/usr/sbin/nagios-archive" ++++++ nagios-archive.timer ++++++ [Unit] Description=Auto-Archiving of Nagios Logfiles [Timer] OnCalendar=Sat *-*-* 03:00:00 AccuracySec=12h Persistent=true [Install] WantedBy=timers.target ++++++ nagios-rpmlintrc ++++++ --- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.738613833 +0200 +++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.738613833 +0200 @@ -17,3 +17,5 @@ addFilter("tmpfile-not-in-filelist.*/var/run/nagios"); # not using the macro should not be a problem if we call the service directly: addFilter("postin-without-tmpfile-creation.*/usr/lib/tmpfiles.d/nagios.conf"); +# see boo#961115 - CVE-2016-0726 +addFilter("zero-length.*/etc/nagios/htpasswd.users"); ++++++ nagios.service ++++++ --- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.766613869 +0200 +++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.766613869 +0200 @@ -7,6 +7,7 @@ ExecStartPre=/usr/lib/nagios/nagios-exec-start-pre ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg ExecStart=/usr/sbin/nagios /etc/nagios/nagios.cfg +ExecReload=/usr/sbin/nagios -v /etc/nagios/nagios.cfg ExecReload=/bin/kill -HUP $MAINPID [Install] ++++++ nagios_systemd ++++++ --- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.802613916 +0200 +++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.802613916 +0200 @@ -16,6 +16,8 @@ # Read config and log errors in logfile config_check () { + test -f $NAGIOS_CFG_ERR_LOG && rm $NAGIOS_CFG_ERR_LOG + touch $NAGIOS_CFG_ERR_LOG || exit 1 case "$1" in verbose) $NAGIOS_BIN -v "$NAGIOS_CFG" >"$NAGIOS_CFG_ERR_LOG" 2>&1 ++++++ suse.de-nagios ++++++ --- /var/tmp/diff_new_pack.7xvNSK/_old 2020-04-07 10:32:47.834613958 +0200 +++ /var/tmp/diff_new_pack.7xvNSK/_new 2020-04-07 10:32:47.834613958 +0200 @@ -1,19 +1,35 @@ -#!/usr/bin/env bash +#!/bin/bash # # Compress old nagios logfiles in /var/log/nagios/archives/ # once a week, if sysconfig variable is set to true # -if [[ -r /etc/sysconfig/nagios ]]; then -. /etc/sysconfig/nagios +CFG='/etc/nagios/nagios.cfg' +SYSCFG='/etc/sysconfig/nagios' + +if [[ -r $SYSCFG ]]; then +. $SYSCFG else - echo "/etc/sysconfig/nagios not found or not readable." >&2 + echo "$SYSCFG not found or not readable." >&2 exit 1 fi +if [[ -r $CFG ]]; then + NAGIOS_USER=$( grep ^nagios_user $CFG | tail -n 1 | sed 's@.*=@@' | tr -d '[:cntrl:]') + NAGIOS_GROUP=$(grep ^nagios_group $CFG | tail -n 1 | sed 's@.*=@@' | tr -d '[:cntrl:]') +fi + +if [ -z "$NAGIOS_USER" ]; then + NAGIOS_USER='__NAGIOS_USER__' +fi +if [ -z "$NAGIOS_GROUP" ]; then + NAGIOS_GROUP='__NAGIOS_GROUP__' +fi + if [[ $NAGIOS_COMPRESS_LOGFILES = "true" ]]; then for f in /var/log/nagios/archives/*.log ; do if [[ -r $f ]] ; then - /usr/bin/bzip2 "$f" + setpriv --init-groups --ruid $NAGIOS_USER --rgid $NAGIOS_GROUP \ + --inh-caps -all --reset-env /usr/bin/bzip2 "$f" fi done fi