[Bug 1686768] [NEW] Restricted contacts can see servers that do not belong to them

Thu, 27 Apr 2017 08:50:56 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

There is a problem with the hostgroups reports that allows restricted
contacts to see servers that do not belong to them provided they are in
the same hostgroup.

This issue was reported to the Nagios project in 2013 here (with
screenshots, sample configs, etc):
https://support.nagios.com/forum/viewtopic.php?f=7&t=21794

It was fixed in Nagios 4.2.2 here:
https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1
#diff-b89a219dd5a0ac3e4e07f1dfd721dd78

This problem exists in Nagios 3.5.x that did not exist under 3.2.x,
however it seems likely that the fix in 4.2.2 could be backported to
Nagios 3.5.x.

lsb_release -rd output:
Description:    Ubuntu 16.04.2 LTS
Release:        16.04

apt-cache policy nagios3 nagios3-cgi output:
nagios3:
  Installed: 3.5.1.dfsg-2.1ubuntu1.1
  Candidate: 3.5.1.dfsg-2.1ubuntu1.1
  Version table:
 *** 3.5.1.dfsg-2.1ubuntu1.1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
        100 /var/lib/dpkg/status
     3.5.1.dfsg-2.1ubuntu1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
nagios3-cgi:
  Installed: 3.5.1.dfsg-2.1ubuntu1.1
  Candidate: 3.5.1.dfsg-2.1ubuntu1.1
  Version table:
 *** 3.5.1.dfsg-2.1ubuntu1.1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
        100 /var/lib/dpkg/status
     3.5.1.dfsg-2.1ubuntu1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

** Affects: nagios3 (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to