[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
** Changed in: nagios3 (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu3.3 --- nagios3 (3.5.1.dfsg-2.1ubuntu3.3) yakkety-security; urgency=medium * SECURITY REGRESSION: event log cannot open log file (LP: #1690380) - debian/patches/CVE-2016-9566-regression.patch: relax permissions on log files in base/logging.c. - debian/nagios3-common.postinst: fix permissions on existing log file. -- Marc Deslauriers Tue, 06 Jun 2017 07:32:05 -0400 ** Changed in: nagios3 (Ubuntu Yakkety) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9566 ** Changed in: nagios3 (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
This bug was fixed in the package nagios3 - 3.5.1-1ubuntu1.3 --- nagios3 (3.5.1-1ubuntu1.3) trusty-security; urgency=medium * SECURITY REGRESSION: event log cannot open log file (LP: #1690380) - debian/patches/CVE-2016-9566-regression.patch: relax permissions on log files in base/logging.c. - debian/nagios3-common.postinst: fix permissions on existing log file. -- Marc Deslauriers Tue, 06 Jun 2017 07:33:27 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu1.2 --- nagios3 (3.5.1.dfsg-2.1ubuntu1.2) xenial; urgency=medium * debian/patches/fix_permissions_for_hostgroups_reports.patch: Fix permissions for hostgroups reports. Thanks to John C. Frickson . Closes LP: #1686768. -- aa...@unadopted.co.uk (Aaron B. Russell) Wed, 10 May 2017 22:43:53 +0100 ** Changed in: nagios3 (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
If it was only tested on xenial then the rest has not been yet tested - switching the tags to show the right state of testing. Someone still needs to perform the testing on zesty, yakkety and trusty. ** Tags removed: verification-done ** Tags added: verification-done-xenial verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Under xenial, 3.5.1.dfsg-2.1ubuntu1.2 resolves the issue for me. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Hello Aaron, or anyone else affected, Accepted nagios3 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu5.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Hi, differences I'd expect are down to headers and changelog style but absolutely good enough IMHO and I totally like how actively you participate. So I was reviewing the patches are actually the same across all versions (they are) and giving it a trial build. Also I saw on my test runs that all Dep8 tests on all releases seem to be good as well. That said, sponsoring your work now, thanks for the patches. Note to myself - related bileto tickets: https://bileto.ubuntu.com/#/ticket/2765 https://bileto.ubuntu.com/#/ticket/2766 Once the SRU Team approves your contribution the proposed verification on these releases would be the next step you could help a lot. ** Changed in: nagios3 (Ubuntu Trusty) Status: Triaged => Fix Committed ** Changed in: nagios3 (Ubuntu Xenial) Status: Triaged => Fix Committed ** Changed in: nagios3 (Ubuntu Yakkety) Status: Triaged => Fix Committed ** Changed in: nagios3 (Ubuntu Zesty) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
** Patch added: "Patch for Yakkety" https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875696/+files/nagios-fix-yakkety.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
** Patch added: "Patch for Trusty" https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875695/+files/nagios-fix-trusty.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
** Patch added: "Patch for Zesty" https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875697/+files/nagios-fix-zesty.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
** Patch added: "Patch for Xenial" https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4874912/+files/nagios-fix-xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu6 --- nagios3 (3.5.1.dfsg-2.1ubuntu6) artful; urgency=medium * debian/patches/ubuntu/Fix-permissions-for-Host-Groups-reports.patch: Fix leaking hosts to restricted contacts as in upstream tracker http://tracker.nagios.org/view.php?id=619 (LP: #1686768). -- Christian Ehrhardt Fri, 28 Apr 2017 10:00:38 +0200 ** Changed in: nagios3 (Ubuntu) Status: Fix Committed => Fix Released ** Bug watch added: tracker.nagios.org/ #619 http://tracker.nagios.org/view.php?id=619 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Hi Christian, I've added an SRU template to the top of the description, hope this is sufficient? I've also joined the #ubuntu-server IRC channel (as aaronr) so if there's anything further I can do to help push this fix through just let me know and I'd be happy to do so. ** Description changed: + [Impact] + + * It is possible for users to see information about servers that they + have not been given permission to see + + * A fix should be backported because this is a security problem and + causes Nagios to leak data + + * The patch introduces the proper checks on hostgroup permissions as + per Nagios 4.2.2 + + [Test Case] + + * Configure Nagios to monitor multiple servers + * Create a second contact called "jbloggs" (in /etc/nagios/conf.d/contacts_nagios2.cfg) + * Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/conf.d/contacts_nagios2.cfg) + * Set the contact_groups property for one of the servers to be "admins,oneserver" + * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user + * Login to Nagios as "jbloggs" + * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below) + + [Regression Potential] + + * It's possible that this may create other issues when viewing + hostgroups in the Nagios web interface although I have not seen any such + issues, and this fix was deemed to be acceptable by the Nagios core team + in Nagios 4.2.2 (tracker link below) so I think the chances of any + issues are very low. + + [Other Info] + + * This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in + * This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version + + [Original Description] + There is a problem with the hostgroups reports that allows restricted contacts to see servers that do not belong to them provided they are in the same hostgroup. This issue was reported to the Nagios project in 2013 here (with screenshots, sample configs, etc): https://support.nagios.com/forum/viewtopic.php?f=7&t=21794 It was fixed in Nagios 4.2.2 here: https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1 #diff-b89a219dd5a0ac3e4e07f1dfd721dd78 This problem exists in Nagios 3.5.x that did not exist under 3.2.x, however it seems likely that the fix in 4.2.2 could be backported to Nagios 3.5.x. lsb_release -rd output: Description: Ubuntu 16.04.2 LTS Release: 16.04 apt-cache policy nagios3 nagios3-cgi output: nagios3: - Installed: 3.5.1.dfsg-2.1ubuntu1.1 - Candidate: 3.5.1.dfsg-2.1ubuntu1.1 - Version table: - *** 3.5.1.dfsg-2.1ubuntu1.1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages - 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages - 100 /var/lib/dpkg/status - 3.5.1.dfsg-2.1ubuntu1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + Installed: 3.5.1.dfsg-2.1ubuntu1.1 + Candidate: 3.5.1.dfsg-2.1ubuntu1.1 + Version table: + *** 3.5.1.dfsg-2.1ubuntu1.1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages + 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages + 100 /var/lib/dpkg/status + 3.5.1.dfsg-2.1ubuntu1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages nagios3-cgi: - Installed: 3.5.1.dfsg-2.1ubuntu1.1 - Candidate: 3.5.1.dfsg-2.1ubuntu1.1 - Version table: - *** 3.5.1.dfsg-2.1ubuntu1.1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages - 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages - 100 /var/lib/dpkg/status - 3.5.1.dfsg-2.1ubuntu1 500 - 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + Installed: 3.5.1.dfsg-2.1ubuntu1.1 + Candidate: 3.5.1.dfsg-2.1ubuntu1.1 + Version table: + *** 3.5.1.dfsg-2.1ubuntu1.1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages + 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages + 100 /var/lib/dpkg/status + 3.5.1.dfsg-2.1ubuntu1 500 + 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ub
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
I ran some extra QA over the fix as I prepared it for Artful and all tests were good, so pushing there to fix the current development release - it should be in artful-proposed soon and auto-close here once (hopefully) migrating cleanly. >From there as I outlined it is about preparing and verifying extra cautiously for the stable release updates - I'll add tasks for this. ** Also affects: nagios3 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: nagios3 (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: nagios3 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: nagios3 (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: nagios3 (Ubuntu) Status: Triaged => Fix Committed ** Changed in: nagios3 (Ubuntu Trusty) Status: New => Triaged ** Changed in: nagios3 (Ubuntu Xenial) Status: New => Triaged ** Changed in: nagios3 (Ubuntu Yakkety) Status: New => Triaged ** Changed in: nagios3 (Ubuntu Zesty) Status: New => Triaged ** Changed in: nagios3 (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: nagios3 (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: nagios3 (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: nagios3 (Ubuntu Zesty) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Hi Aaron, yeah this will be needed throughout all releases with affected versions. We can't just pick a few or an upgrade e.g. from Xenial to Yakkety would be a regression. The first step is to push it to Artful and for that it is fine already. A backport seems possible, just someone needs the cycles to do so. I understand you marked it as security which is correct, but not as in needs to be done yesterday. That said it will compete with the other bugs in the queue to be handled. If you would want to volunteer to help with that there are a few things to do here. First of all we need a proper SRU Template [1] at the top of the description - and especially some detailed steps how to test and verify would help the SRU process int this case. Furthermore we founded the Ubuntu Server Bug Squashing Day [2], and if instead of waiting you always wanted to learn to package such fixes to drive this even more - feel free to catch us there (or at any time in general). [1]: https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template [2]: https://wiki.ubuntu.com/ServerTeam/BugSquashingDay -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Hi Christian, Thanks for the rapid response! Had a little trouble with using that PPA in the usual fashion as I'm running Nagios on Xenial and that PPA is for Artful. That said, I manually downloaded the .deb files for the nagios3-cgi and nagios3-common packages and installed them under Xenial and I can confirm that it does indeed solve the problem. Is it going to be possible to backport this fix to the official Xenial repos at some point? As Trusty also appears to run Nagios 3.5.1, it's quite likely it will need this patch too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Hi Aaron, thanks for your report and your detailed pre-analysis. That helps to make Ubuntu better! I checked and agree that the patch itself is a rather easy backport. Yet OTOH I'm as far from a nagios expert as I could be. So for now I created a "what if" build for the current development release (artful). The test builds of 3.5.1.dfsg-2.1ubuntu6 are available soon (currently building) at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2741 If you could try if that really fixes the issue on the 3.x series as well as expected that would be great! ** Changed in: nagios3 (Ubuntu) Status: New => Triaged ** Changed in: nagios3 (Ubuntu) Importance: Undecided => Medium ** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
Marked this as a security issue as the bug can cause Nagios to leak data to users who should not see it, if that's wasn't the right thing to do please feel free to revert that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs