lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060508103533.GE5658@piware.de>
Date: Mon, 8 May 2006 12:35:33 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-282-1] Nagios vulnerability

===========================================================
Ubuntu Security Notice USN-282-1	       May 08, 2006
nagios vulnerability
CVE-2006-2162
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

nagios-common

The problem can be corrected by upgrading the affected package to
version 2:1.3-0+pre6ubuntu0.1 (for Ubuntu 5.04), or
2:1.3-cvs.20050402-4ubuntu3.1 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

The nagios CGI scripts did not sufficiently check the validity of the
HTTP Content-Length attribute. By sending a specially crafted HTTP
request with a negative Content-Length value to the Nagios server, a
remote attacker could exploit this to execute arbitrary code with web
server privileges.

Please note that the Apache 2 web server already checks for valid
Content-Length values, so installations using Apache 2 (the only web
server officially supported in Ubuntu) are not vulnerable to this
flaw.


Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-0+pre6ubuntu0.1.diff.gz
      Size/MD5:    80281 7d71114ea6d8e11edb79133235e94951
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-0+pre6ubuntu0.1.dsc
      Size/MD5:     1010 611221f65f55763d607bd18754f5b46e
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3.orig.tar.gz
      Size/MD5:  1625322 414d70e5269d5b8d7c21bf3ee129309f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-0+pre6ubuntu0.1_all.deb
      Size/MD5:  1213184 aef209a60989887c5e4828f8c6e5ed22

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.1_amd64.deb
      Size/MD5:   994148 caee3765a8cb8826cbfb83b6a80a93aa
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.1_amd64.deb
      Size/MD5:  1006218 331626a1400801648faa72261f72bc0f
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.1_amd64.deb
      Size/MD5:   975952 83b6c5a302ed299866fa717020c30d68

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.1_i386.deb
      Size/MD5:   872306 fcb37a47f0eff94a77d1a1e30205aeec
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.1_i386.deb
      Size/MD5:   882042 08b7590825e1d97807445e11859fb487
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.1_i386.deb
      Size/MD5:   857596 0feedae7fd082a9b566bdc52c2a69794

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.1_powerpc.deb
      Size/MD5:  1002618 f7267c0a908b37119bd1cc75a82f691a
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.1_powerpc.deb
      Size/MD5:  1010332 cd4882a8adaf882be52ca06c03a9f009
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.1_powerpc.deb
      Size/MD5:   969694 61692fa210eac3be4acc0ec31db859df

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-4ubuntu3.1.diff.gz
      Size/MD5:    72940 45eb9bb3f5d319ee26e54911766c3329
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-4ubuntu3.1.dsc
      Size/MD5:     1039 38ccfb2a73283d3407b9fe60533f98ff
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402.orig.tar.gz
      Size/MD5:  1621251 0f92b7b8e705411b7881d3650cbb5d56

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-cvs.20050402-4ubuntu3.1_all.deb
      Size/MD5:  1221180 8d5b4df9c227530749020ffb466ff2f2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.1_amd64.deb
      Size/MD5:  1029868 c8d76916a6910a2cbfe3ff1ba6ac5719
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-4ubuntu3.1_amd64.deb
      Size/MD5:  1041510 623c9b4b2e3ab693c9993ede121488a7
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-4ubuntu3.1_amd64.deb
      Size/MD5:  1025400 d37f7806f75fecda7f4b3d63491e0939

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.1_i386.deb
      Size/MD5:   878928 9ee514d4b91119f3ba6bfc6c1f62fbea
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-4ubuntu3.1_i386.deb
      Size/MD5:   887908 f8365be3ee3dd6aa19fbe61e80a51120
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-4ubuntu3.1_i386.deb
      Size/MD5:   873662 1c9aa6c22a19b705f7a3702b09fe6986

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.1_powerpc.deb
      Size/MD5:  1015848 74ebefb823c39c2b1cd54d3c8bcf80f3
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-4ubuntu3.1_powerpc.deb
      Size/MD5:  1024990 7e1a404b27a63d58644e2faa92f20217
    http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-4ubuntu3.1_powerpc.deb
      Size/MD5:   993116 ba19fcb9ba815eb4f47d8c75cebb8ee0

Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ