Security issue

[Andreas Ericsson]

Andreas Ericsson wrote:
> Jim Perrin wrote:
>> On Thu, Nov 6, 2008 at 6:45 AM, Andreas Ericsson <ae at op5.se> wrote:
>>
>>> Hope that clears things up a bit.
>> Thanks for the rather thorough layman's explanation of this. Is there
>> an estimate for when these fixes will be rolled into the stable tree
>> for nagios?
>>
> 
> In-form session token support was completed about five minutes ago. I'm
> doing some basic testing right now and will push this to my git repo at
> git://git.op5.org (as 'csrf' branch).


Pushed, along with all the discovered breakages when submitting commands
to Nagios (they're in the same branch). Please try it out. It should stash
session data in /tmp/.ncgi-form-session-tokens/<SHA1>, but will try to
create the folder if it doesn't exist.

For those that want an instant snapshot to play with that includes the
fixes, here's the link:

http://git.op5.org/git/?p=nagios.git;a=snapshot;h=0cbb25652a9cb7c3d7b1b56920f2df9281ebc947;sf=tgz

Note that it's created directly from the git repository and will unpack
to a directory named 0cbb25652a9cb7c3d7b1b56920f2df9281ebc947. It can be
compiled and installed as usual though.

Please report any breakages here on nagios-devel@ and try to avoid double-
postings. Thanks.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/