[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Marc Deslauriers]

** Changed in: nagios3 (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Launchpad Bug Tracker]

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu3.3

---
nagios3 (3.5.1.dfsg-2.1ubuntu3.3) yakkety-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
- debian/patches/CVE-2016-9566-regression.patch: relax permissions on
  log files in base/logging.c.
- debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers   Tue, 06 Jun 2017
07:32:05 -0400

** Changed in: nagios3 (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9566

** Changed in: nagios3 (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Launchpad Bug Tracker]

This bug was fixed in the package nagios3 - 3.5.1-1ubuntu1.3

---
nagios3 (3.5.1-1ubuntu1.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
- debian/patches/CVE-2016-9566-regression.patch: relax permissions on
  log files in base/logging.c.
- debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers   Tue, 06 Jun 2017
07:33:27 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Launchpad Bug Tracker]

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu1.2

---
nagios3 (3.5.1.dfsg-2.1ubuntu1.2) xenial; urgency=medium

  * debian/patches/fix_permissions_for_hostgroups_reports.patch: Fix
permissions for hostgroups reports.  Thanks to John C. Frickson
.  Closes LP: #1686768.

 -- aa...@unadopted.co.uk (Aaron B. Russell)  Wed, 10 May 2017 22:43:53
+0100

** Changed in: nagios3 (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Łukasz Zemczak]

If it was only tested on xenial then the rest has not been yet tested -
switching the tags to show the right state of testing. Someone still
needs to perform the testing on zesty, yakkety and trusty.

** Tags removed: verification-done
** Tags added: verification-done-xenial verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

Under xenial, 3.5.1.dfsg-2.1ubuntu1.2 resolves the issue for me.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Łukasz Zemczak]

Hello Aaron, or anyone else affected,

Accepted nagios3 into zesty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu5.1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[ChristianEhrhardt]

Hi,
differences I'd expect are down to headers and changelog style but absolutely 
good enough IMHO and I totally like how actively you participate.
So I was reviewing the patches are actually the same across all versions (they 
are) and giving it a trial build.
Also I saw on my test runs that all Dep8 tests on all releases seem to be good 
as well.

That said, sponsoring your work now, thanks for the patches.

Note to myself - related bileto tickets:
https://bileto.ubuntu.com/#/ticket/2765
https://bileto.ubuntu.com/#/ticket/2766

Once the SRU Team approves your contribution the proposed verification
on these releases would be the next step you could help a lot.

** Changed in: nagios3 (Ubuntu Trusty)
   Status: Triaged => Fix Committed

** Changed in: nagios3 (Ubuntu Xenial)
   Status: Triaged => Fix Committed

** Changed in: nagios3 (Ubuntu Yakkety)
   Status: Triaged => Fix Committed

** Changed in: nagios3 (Ubuntu Zesty)
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

** Patch added: "Patch for Yakkety"
   
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875696/+files/nagios-fix-yakkety.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

** Patch added: "Patch for Trusty"
   
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875695/+files/nagios-fix-trusty.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

** Patch added: "Patch for Zesty"
   
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875697/+files/nagios-fix-zesty.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

** Patch added: "Patch for Xenial"
   
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4874912/+files/nagios-fix-xenial.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Launchpad Bug Tracker]

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu6

---
nagios3 (3.5.1.dfsg-2.1ubuntu6) artful; urgency=medium

  * debian/patches/ubuntu/Fix-permissions-for-Host-Groups-reports.patch: Fix
leaking hosts to restricted contacts as in upstream tracker
http://tracker.nagios.org/view.php?id=619 (LP: #1686768).

 -- Christian Ehrhardt   Fri, 28 Apr
2017 10:00:38 +0200

** Changed in: nagios3 (Ubuntu)
   Status: Fix Committed => Fix Released

** Bug watch added: tracker.nagios.org/ #619
   http://tracker.nagios.org/view.php?id=619

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

Hi Christian, I've added an SRU template to the top of the description,
hope this is sufficient?

I've also joined the #ubuntu-server IRC channel (as aaronr) so if
there's anything further I can do to help push this fix through just let
me know and I'd be happy to do so.

** Description changed:

+ [Impact]
+ 
+  * It is possible for users to see information about servers that they
+ have not been given permission to see
+ 
+  * A fix should be backported because this is a security problem and
+ causes Nagios to leak data
+ 
+  * The patch introduces the proper checks on hostgroup permissions as
+ per Nagios 4.2.2
+ 
+ [Test Case]
+ 
+  * Configure Nagios to monitor multiple servers
+  * Create a second contact called "jbloggs" (in 
/etc/nagios/conf.d/contacts_nagios2.cfg)
+  * Create a second contact group called "oneserver" containing the second 
contact (in /etc/nagios/conf.d/contacts_nagios2.cfg)
+  * Set the contact_groups property for one of the servers to be 
"admins,oneserver"
+  * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user
+  * Login to Nagios as "jbloggs"
+  * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and 
"Hostgroups -> Grid", and observe that the "jbloggs" user can view information 
about servers they don't have permission to see (full details including 
screenshots can be found on the Nagios forum link below)
+ 
+ [Regression Potential]
+ 
+  * It's possible that this may create other issues when viewing
+ hostgroups in the Nagios web interface although I have not seen any such
+ issues, and this fix was deemed to be acceptable by the Nagios core team
+ in Nagios 4.2.2 (tracker link below) so I think the chances of any
+ issues are very low.
+ 
+ [Other Info]
+  
+  * This fix is the same fix that was applied upstream in Nagios 4.2.2, 
although as Ubuntu doesn't ship that version the fix never made it in
+  * This problem didn't exist under Precise as that ran Nagios 3.2.x so this 
was an upstream regression that happened after that version
+ 
+ [Original Description]
+ 
  There is a problem with the hostgroups reports that allows restricted
  contacts to see servers that do not belong to them provided they are in
  the same hostgroup.
  
  This issue was reported to the Nagios project in 2013 here (with
  screenshots, sample configs, etc):
  https://support.nagios.com/forum/viewtopic.php?f=7=21794
  
  It was fixed in Nagios 4.2.2 here:
  
https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1
  #diff-b89a219dd5a0ac3e4e07f1dfd721dd78
  
  This problem exists in Nagios 3.5.x that did not exist under 3.2.x,
  however it seems likely that the fix in 4.2.2 could be backported to
  Nagios 3.5.x.
  
  lsb_release -rd output:
  Description:  Ubuntu 16.04.2 LTS
  Release:  16.04
  
  apt-cache policy nagios3 nagios3-cgi output:
  nagios3:
-   Installed: 3.5.1.dfsg-2.1ubuntu1.1
-   Candidate: 3.5.1.dfsg-2.1ubuntu1.1
-   Version table:
-  *** 3.5.1.dfsg-2.1ubuntu1.1 500
- 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
- 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
- 100 /var/lib/dpkg/status
-  3.5.1.dfsg-2.1ubuntu1 500
- 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+   Installed: 3.5.1.dfsg-2.1ubuntu1.1
+   Candidate: 3.5.1.dfsg-2.1ubuntu1.1
+   Version table:
+  *** 3.5.1.dfsg-2.1ubuntu1.1 500
+ 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
+ 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
+ 100 /var/lib/dpkg/status
+  3.5.1.dfsg-2.1ubuntu1 500
+ 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  nagios3-cgi:
-   Installed: 3.5.1.dfsg-2.1ubuntu1.1
-   Candidate: 3.5.1.dfsg-2.1ubuntu1.1
-   Version table:
-  *** 3.5.1.dfsg-2.1ubuntu1.1 500
- 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
- 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
- 100 /var/lib/dpkg/status
-  3.5.1.dfsg-2.1ubuntu1 500
- 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+   Installed: 3.5.1.dfsg-2.1ubuntu1.1
+   Candidate: 3.5.1.dfsg-2.1ubuntu1.1
+   Version table:
+  *** 3.5.1.dfsg-2.1ubuntu1.1 500
+ 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
+ 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
+ 100 /var/lib/dpkg/status
+  3.5.1.dfsg-2.1ubuntu1 500
+ 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[ChristianEhrhardt]

I ran some extra QA over the fix as I prepared it for Artful and all
tests were good, so pushing there to fix the current development release
- it should be in artful-proposed soon and auto-close here once
(hopefully) migrating cleanly.

>From there as I outlined it is about preparing and verifying extra
cautiously for the stable release updates - I'll add tasks for this.

** Also affects: nagios3 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: nagios3 (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: nagios3 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: nagios3 (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: nagios3 (Ubuntu)
   Status: Triaged => Fix Committed

** Changed in: nagios3 (Ubuntu Trusty)
   Status: New => Triaged

** Changed in: nagios3 (Ubuntu Xenial)
   Status: New => Triaged

** Changed in: nagios3 (Ubuntu Yakkety)
   Status: New => Triaged

** Changed in: nagios3 (Ubuntu Zesty)
   Status: New => Triaged

** Changed in: nagios3 (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: nagios3 (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: nagios3 (Ubuntu Yakkety)
   Importance: Undecided => Medium

** Changed in: nagios3 (Ubuntu Zesty)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[ChristianEhrhardt]

Hi Aaron,
yeah this will be needed throughout all releases with affected versions.
We can't just pick a few or an upgrade e.g. from Xenial to Yakkety would be a 
regression.
The first step is to push it to Artful and for that it is fine already.

A backport seems possible, just someone needs the cycles to do so.
I understand you marked it as security which is correct, but not as in needs to 
be done yesterday.
That said it will compete with the other bugs in the queue to be handled.

If you would want to volunteer to help with that there are a few things to do 
here.
First of all we need a proper SRU Template [1] at the top of the description - 
and especially some detailed steps how to test and verify would help the SRU 
process int this case.
Furthermore we founded the Ubuntu Server Bug Squashing Day [2], and if instead 
of waiting you always wanted to learn to package such fixes to drive this even 
more - feel free to catch us there (or at any time in general).

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template
[2]: https://wiki.ubuntu.com/ServerTeam/BugSquashingDay

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

Hi Christian,

Thanks for the rapid response!

Had a little trouble with using that PPA in the usual fashion as I'm
running Nagios on Xenial and that PPA is for Artful.

That said, I manually downloaded the .deb files for the nagios3-cgi and
nagios3-common packages and installed them under Xenial and I can
confirm that it does indeed solve the problem.

Is it going to be possible to backport this fix to the official Xenial
repos at some point? As Trusty also appears to run Nagios 3.5.1, it's
quite likely it will need this patch too.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[ChristianEhrhardt]

Hi Aaron,
thanks for your report and your detailed pre-analysis.
That helps to make Ubuntu better!

I checked and agree that the patch itself is a rather easy backport.
Yet OTOH I'm as far from a nagios expert as I could be.

So for now I created a "what if" build for the current development release 
(artful).
The test builds of 3.5.1.dfsg-2.1ubuntu6 are available soon (currently 
building) at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2741

If you could try if that really fixes the issue on the 3.x series as
well as expected that would be great!

** Changed in: nagios3 (Ubuntu)
   Status: New => Triaged

** Changed in: nagios3 (Ubuntu)
   Importance: Undecided => Medium

** Tags added: server-next

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Aaron B. Russell]

Marked this as a security issue as the bug can cause Nagios to leak data
to users who should not see it, if that's wasn't the right thing to do
please feel free to revert that.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs