-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1825-1                    security@debian.org
http://www.debian.org/security/                                 Nico Golde
July 3rd, 2009                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : nagios2, nagios3
Vulnerability  : insufficient input validation
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2009-2288


It was discovered that the statuswml.cgi script of nagios, a monitoring
and management system for hosts, services and networks, is prone to a
command injection vulnerability.  Input to the ping and traceroute parametersof the script is not properly validated which allows an attacker to execute
arbitrary shell commands by passing a crafted value to these parameters.


For the oldstable distribution (etch), this problem has been fixed in
version 2.6-2+etch3 of nagios2.

For the stable distribution (lenny), this problem has been fixed in
version 3.0.6-4~lenny2 of nagios3.

For the testing distribution (squeeze), this problem has been fixed in
version 3.0.6-5 of nagios3.

For the unstable distribution (sid), this problem has been fixed in
version 3.0.6-5 of nagios3.


We recommend that you upgrade your nagios2/nagios3 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:    38428 42d830b18bfdeb3292cc926c81e93611
      Size/MD5 checksum:  2735504 900e3f4164f4b2a18485420eeaefe812
      Size/MD5 checksum:     1589 228a65351afe2ce6028c3e4b38a7dbd7

Architecture independent packages:

      Size/MD5 checksum:  2070624 a3d6285aa4ca170dff3ebc37c661a87f
      Size/MD5 checksum:    76976 46391e4a013e6f4b9d22e7529f5836c2

alpha architecture (DEC Alpha)

      Size/MD5 checksum:  1652478 eeb78e031b3e0df336d473738bb849c3
      Size/MD5 checksum:  2256566 1691fcda957f56aa58d4a564249e3cc3

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:  1533972 c161bf872c5d5e08188ab30d0ea47acc
      Size/MD5 checksum:  2537724 75ea70e06091246d69457b3206e7dd57

arm architecture (ARM)

      Size/MD5 checksum:  2219494 fac6212f49e1645e5e562753f342ea73
      Size/MD5 checksum:  1387152 40e50777dc68548be1cc4d9340074a78

armel architecture (ARM EABI)

      Size/MD5 checksum:  1444282 639e4563d6009d69c6684117a4d252cd
      Size/MD5 checksum:  2265242 a2874c655c74e88a52838fd0742544aa

hppa architecture (HP PA RISC)

      Size/MD5 checksum:  1557384 49575bfdb3ce7ade125e560586eae41f
      Size/MD5 checksum:  2362452 360e17eafca70d4124ef4aadb11498d1

i386 architecture (Intel ia32)

      Size/MD5 checksum:  1382416 bcce0eb86a0e94123b73650e49893193
      Size/MD5 checksum:  2330734 1819c7189c5b97029fee9004879de07b

ia64 architecture (Intel ia64)

      Size/MD5 checksum:  2422520 70702e5b4d7363a9a1d4c03b0abf41c7
      Size/MD5 checksum:  2250320 904aeb68937da12928f594bba319eb6d

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:  2510252 8fee75f656fcb82329f9a1fba8d9c80f
      Size/MD5 checksum:  1403106 2e5454f24388aec81e74bfde59a861ed

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:  2408904 5794b3ff1cc68160363c5f85145e8676
      Size/MD5 checksum:  1400836 575acb755aa91460a3dcb46d839d29d7

powerpc architecture (PowerPC)

      Size/MD5 checksum:  1528612 9443fc222234b9c08515e3f68c0bd9db
      Size/MD5 checksum:  2499118 19bec84cb0bbbd50e6074e5376d703e6

s390 architecture (IBM S/390)

      Size/MD5 checksum:  1395100 ed3894606ef6c2174cb8520aeca3d0bd
      Size/MD5 checksum:  2460168 d5da0fe521f64a2b2306eaca4ab250b2

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:  2204680 2cf9f082cdfacbd93f7ea7f2ce756a56
      Size/MD5 checksum:  1370882 60c41edc23d52753fe58c8884621279c


  These files will probably be moved into the stable distribution on
  its next update.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:      947 b9015c15569bb0a608729966e73eda3f
      Size/MD5 checksum:    28125 8c35b478b9731ce7f7bd7a08e22f551f
      Size/MD5 checksum:  1734400 a032edba07bf389b803ce817e9406c02

Architecture independent packages:

      Size/MD5 checksum:  1149448 9ed8464c5f69f3649d219df01d60dd42
      Size/MD5 checksum:    58848 9af8f3bbd8bb33bf43f5a65ba0498e48

alpha architecture (DEC Alpha)

      Size/MD5 checksum:  1698844 8ac4a327830b76ce635df9f27b40c31f
      Size/MD5 checksum:  1219946 74c451aba32bf1af3049fa4aa55aa7ba

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:  1097060 6efd47f2ee3ee8afad49427a2f834568
      Size/MD5 checksum:  1686050 510a3e84ffc77baa6ce8a24a7c6b3d68

arm architecture (ARM)

      Size/MD5 checksum:  1535814 5fe56d35cc5849cf95cedeacc6e0d818
      Size/MD5 checksum:  1023254 5ab12797ff209d89e72f4e4f5fd7dcef

hppa architecture (HP PA RISC)

      Size/MD5 checksum:  1146854 9d15019fe7a9f12373a93bb6e1811a2b
      Size/MD5 checksum:  1618176 5ccce2b7366ca4491dc17a7984da0a71

i386 architecture (Intel ia32)

      Size/MD5 checksum:  1015296 0121ad8ec5839b0f86b0774245fbff54
      Size/MD5 checksum:  1584546 8fa4ea83df2a32f2687d1f00f1f3fc21

ia64 architecture (Intel ia64)

      Size/MD5 checksum:  1709844 1d7b16f899f2da2b688abfb971debee2
      Size/MD5 checksum:  1618780 29a8a56b0d195ef1269c8b2d2fd9a866

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:  1704724 b5af7087fe2d19b835c6815c58dae46e
      Size/MD5 checksum:  1103170 ba8afb59a09a676000b35436156923c1

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:  1102940 3e02e9d3518b2492f4cc8b778ffeb0dd
      Size/MD5 checksum:  1659070 6d9cad7f7e2e7b1113e4199c3371caed

powerpc architecture (PowerPC)

      Size/MD5 checksum:  1087622 7115be653606065e657f644462bfa95f
      Size/MD5 checksum:  1665826 f1e3a852b49cb7070bffec7b20e00bb5

s390 architecture (IBM S/390)

      Size/MD5 checksum:  1000928 5fd2eb71da07df47ea4a8ae186ee920b
      Size/MD5 checksum:  1611830 ce74a264a7337e8b4db1d906738a351c

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   987636 a421762c82f57aff30fc2bc5bccf4ab7
      Size/MD5 checksum:  1481982 0358d5ce2bc53cc013ccc4fcba751f56


- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-1825-1: New nagios2/nagios3 packages fix arbitrary code execution

July 3, 2009

It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability

Summary

It was discovered that the statuswml.cgi script of nagios, a monitoring
and management system for hosts, services and networks, is prone to a
command injection vulnerability. Input to the ping and traceroute parametersof the script is not properly validated which allows an attacker to execute
arbitrary shell commands by passing a crafted value to these parameters.

For the oldstable distribution (etch), this problem has been fixed in
version 2.6-2+etch3 of nagios2.

For the stable distribution (lenny), this problem has been fixed in
version 3.0.6-4~lenny2 of nagios3.

For the testing distribution (squeeze), this problem has been fixed in
version 3.0.6-5 of nagios3.

For the unstable distribution (sid), this problem has been fixed in
version 3.0.6-5 of nagios3.

We recommend that you upgrade your nagios2/nagios3 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 38428 42d830b18bfdeb3292cc926c81e93611
Size/MD5 checksum: 2735504 900e3f4164f4b2a18485420eeaefe812
Size/MD5 checksum: 1589 228a65351afe2ce6028c3e4b38a7dbd7

Architecture independent packages:

Size/MD5 checksum: 2070624 a3d6285aa4ca170dff3ebc37c661a87f
Size/MD5 checksum: 76976 46391e4a013e6f4b9d22e7529f5836c2

alpha architecture (DEC Alpha)

Size/MD5 checksum: 1652478 eeb78e031b3e0df336d473738bb849c3
Size/MD5 checksum: 2256566 1691fcda957f56aa58d4a564249e3cc3

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 1533972 c161bf872c5d5e08188ab30d0ea47acc
Size/MD5 checksum: 2537724 75ea70e06091246d69457b3206e7dd57

arm architecture (ARM)

Size/MD5 checksum: 2219494 fac6212f49e1645e5e562753f342ea73
Size/MD5 checksum: 1387152 40e50777dc68548be1cc4d9340074a78

armel architecture (ARM EABI)

Size/MD5 checksum: 1444282 639e4563d6009d69c6684117a4d252cd
Size/MD5 checksum: 2265242 a2874c655c74e88a52838fd0742544aa

hppa architecture (HP PA RISC)

Size/MD5 checksum: 1557384 49575bfdb3ce7ade125e560586eae41f
Size/MD5 checksum: 2362452 360e17eafca70d4124ef4aadb11498d1

i386 architecture (Intel ia32)

Size/MD5 checksum: 1382416 bcce0eb86a0e94123b73650e49893193
Size/MD5 checksum: 2330734 1819c7189c5b97029fee9004879de07b

ia64 architecture (Intel ia64)

Size/MD5 checksum: 2422520 70702e5b4d7363a9a1d4c03b0abf41c7
Size/MD5 checksum: 2250320 904aeb68937da12928f594bba319eb6d

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 2510252 8fee75f656fcb82329f9a1fba8d9c80f
Size/MD5 checksum: 1403106 2e5454f24388aec81e74bfde59a861ed

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 2408904 5794b3ff1cc68160363c5f85145e8676
Size/MD5 checksum: 1400836 575acb755aa91460a3dcb46d839d29d7

powerpc architecture (PowerPC)

Size/MD5 checksum: 1528612 9443fc222234b9c08515e3f68c0bd9db
Size/MD5 checksum: 2499118 19bec84cb0bbbd50e6074e5376d703e6

s390 architecture (IBM S/390)

Size/MD5 checksum: 1395100 ed3894606ef6c2174cb8520aeca3d0bd
Size/MD5 checksum: 2460168 d5da0fe521f64a2b2306eaca4ab250b2

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 2204680 2cf9f082cdfacbd93f7ea7f2ce756a56
Size/MD5 checksum: 1370882 60c41edc23d52753fe58c8884621279c

These files will probably be moved into the stable distribution on
its next update.

Debian GNU/Linux 4.0 alias etch

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 947 b9015c15569bb0a608729966e73eda3f
Size/MD5 checksum: 28125 8c35b478b9731ce7f7bd7a08e22f551f
Size/MD5 checksum: 1734400 a032edba07bf389b803ce817e9406c02

Architecture independent packages:

Size/MD5 checksum: 1149448 9ed8464c5f69f3649d219df01d60dd42
Size/MD5 checksum: 58848 9af8f3bbd8bb33bf43f5a65ba0498e48

alpha architecture (DEC Alpha)

Size/MD5 checksum: 1698844 8ac4a327830b76ce635df9f27b40c31f
Size/MD5 checksum: 1219946 74c451aba32bf1af3049fa4aa55aa7ba

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 1097060 6efd47f2ee3ee8afad49427a2f834568
Size/MD5 checksum: 1686050 510a3e84ffc77baa6ce8a24a7c6b3d68

arm architecture (ARM)

Size/MD5 checksum: 1535814 5fe56d35cc5849cf95cedeacc6e0d818
Size/MD5 checksum: 1023254 5ab12797ff209d89e72f4e4f5fd7dcef

hppa architecture (HP PA RISC)

Size/MD5 checksum: 1146854 9d15019fe7a9f12373a93bb6e1811a2b
Size/MD5 checksum: 1618176 5ccce2b7366ca4491dc17a7984da0a71

i386 architecture (Intel ia32)

Size/MD5 checksum: 1015296 0121ad8ec5839b0f86b0774245fbff54
Size/MD5 checksum: 1584546 8fa4ea83df2a32f2687d1f00f1f3fc21

ia64 architecture (Intel ia64)

Size/MD5 checksum: 1709844 1d7b16f899f2da2b688abfb971debee2
Size/MD5 checksum: 1618780 29a8a56b0d195ef1269c8b2d2fd9a866

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 1704724 b5af7087fe2d19b835c6815c58dae46e
Size/MD5 checksum: 1103170 ba8afb59a09a676000b35436156923c1

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 1102940 3e02e9d3518b2492f4cc8b778ffeb0dd
Size/MD5 checksum: 1659070 6d9cad7f7e2e7b1113e4199c3371caed

powerpc architecture (PowerPC)

Size/MD5 checksum: 1087622 7115be653606065e657f644462bfa95f
Size/MD5 checksum: 1665826 f1e3a852b49cb7070bffec7b20e00bb5

s390 architecture (IBM S/390)

Size/MD5 checksum: 1000928 5fd2eb71da07df47ea4a8ae186ee920b
Size/MD5 checksum: 1611830 ce74a264a7337e8b4db1d906738a351c

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 987636 a421762c82f57aff30fc2bc5bccf4ab7
Size/MD5 checksum: 1481982 0358d5ce2bc53cc013ccc4fcba751f56

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/