Mageia 2019-0104: nagios security update
Summary
A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_help
function is prone to a NULL pointer dereference vulnerability, which allows
attacker to cause a local denial-of-service condition by sending a crafted
payload to the listening UNIX socket (CVE-2018-13441).
A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_echo
function is prone to a NULL pointer dereference vulnerability, which allows
attacker to cause a local denial-of-service condition by sending a crafted
payload to the listening UNIX socket (CVE-2018-13457).
A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_core
function is prone to a NULL pointer dereference vulnerability, which allows
attacker to cause a local denial-of-service condition by sending a crafted
payload to the listening UNIX socket (CVE-2018-13458).
A cross-site scripting (XSS) vulnerability has been discovered in Nagios
Core. This vulnerability allows attackers to place malicious JavaScript
code into the web frontend through manipulation of plugin output. In order
to do this the attacker needs to be able to manipulate the output returned
by nagios checks, e.g. by replacing a plugin on one of the monitored
endpoints. Execution of the payload then requires that an authenticated
user creates an alert summary report which contains the corresponding
output (CVE-2018-18245).
References
- https://bugs.mageia.org/show_bug.cgi?id=24290
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EGOZ3JA6TL3YUZ3XWYQ47OYQAJTWOTL/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13441
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13457
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13458
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18245
Resolution
MGASA-2019-0104 - Updated nagios packages fix security vulnerability
SRPMS
- 6/core/nagios-4.3.1-2.2.mga6