Re: [users] Nagios/Icinga Vulnerbility - update request

Wed, 30 Jan 2013 00:45:10 -0800 

On 30.01.2013 03:28, Mike Patterson wrote:

Repoforge folks,
It seems that the latest repoforge nagios (3.2.3) and icinga (1.7.2) as
well as earlier versions have known vulnerabilities and exploits.
http://www.cvedetails.com/vulnerability-list/vendor_id-1424/Nagios.html
Nagios Core 3.4.4 and Icinga 1.8.4 address this.
I'm humbly requesting updates for these.
Apologies in advance if I'm requesting this in the wrong way.
If anyone has suggestions for securing history.cgi in the meantime, I'd
appreciate that as well.



Look at the patches I've put in the various git trees for their release. 
Upstream fixes active Icinga release trees 1.6.x 1.7.x and 1.8.x for the 
sole reason of active package releases. (Ok, Debian Squeeze with 1.0.2 
was fun for the packager).


https://www.icinga.org/2013/01/14/icinga-1-6-2-1-7-4-1-8-4-released/


So if you consider staying on the 1.7.x tree with your setup, try the 
tarball and the specfile. The patch backported into that tree can also 
be found there, and applies cleanly against 1.7.1 as well (Debian 
release for Wheezy).


https://git.icinga.org/?p=icinga-core.git;a=shortlog;h=refs/heads/r1.7


Even if 1.7.4 will never hit repoforge you will still have a valid 
upgrade path, since I've pushed the upttodate spec file for 1.8.4 on the 
day I've released Icinga 1.8.4



Though, I would clearly opt for a new Icinga build for newer package 
revisions. 1.8.x is the main supported tree, and 1.9.x will hit the 
stage soon (April 2013).



For Nagios - some might test the patch for 3.4.x against 3.2.3. I 
wouldn't opt just for for cve reasons to get a fully broken feature 
version into repoforge without proper testing. but that's left for 
anyone capable of testing nagios releases.


kind regards,
Michael


--
DI (FH) Michael Friedrich

mail:     [email protected]
twitter:  https://twitter.com/dnsmichi
jabber:   [email protected]
irc:      irc.freenode.net/icinga dnsmichi

icinga open source monitoring
position: lead core developer
url:      https://www.icinga.org
_______________________________________________
users mailing list
[email protected]
http://lists.repoforge.org/mailman/listinfo/users






















					Reply via email to