Security issue

[Arno Lehmann]

Hi,

06.11.2008 22:51, Tobias Scherbaum wrote:
> Andreas Ericsson wrote:
>> I'm hoping Ethan will have picked it up by tomorrow. I'll send an
>> announce and put up a nagios-3.0.5p1 or something for download unless
>> Ethan's done with that by the time I leave the office tomorrow (around
>> 17:00 GMT+1). Note that it won't be official until Ethan hits the big
>> release-bell and puts it up at nagios.org, but with some decent testing
>> beforehand, I'm sure he'll be a lot more trigger-happy ;-)
> 
> What about Nagios-2? I guess it is affected too, will there be patches
> as well?

As far as I know, Nagios 2 is not critically affected because it does 
not allow you to change configuration settings through the cgis.

That said, Nagios 2 will be vulnerable to the "prankster" level attacks.

I guess porting the session id stuff to the Nagios 2 cgis wouldn't be 
too hard (not that I volunteer - you wouldn't want to run a C program 
I touched ;-)

Arno

>   Tobias
> 
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nagios-devel mailing list
> Nagios-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-devel
> 

-- 
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/