Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 436
Alerts This Week
Warning Icon 1 436

Ubuntu 16.10 USN-3253-1 High Severity: Nagios Denial Of Service

ubuntu
Calendar Grey April 3, 2017
Dist Ubuntu Esm H88
Explore Ubuntu Security Notice USN-3253-1 detailing significant vulnerabilities in Nagios, offering essential steps for users to implement vital updates effectively
Several security issues were fixed in Nagios.

Summary

Several security issues were fixed in Nagios.

Software Description:

- nagios3: host/service/network monitoring and management system

Details:

It was discovered that Nagios incorrectly handled certain long strings. A

remote authenticated attacker could use this issue to cause Nagios to

crash, resulting in a denial of service, or possibly obtain sensitive

information. (CVE-2013-7108, CVE-2013-7205)

It was discovered that Nagios incorrectly handled certain long messages to

cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to

crash, resulting in a denial of service. (CVE-2014-1878)

Dawid Golunski discovered that Nagios incorrectly handled symlinks when

accessing log files. A local attacker could possibly use this issue to

elevate privileges. In the default installation of Ubuntu, this should be

prevented by the Yama link restrictions. (CVE-2016-9566)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
  nagios3-cgi                     3.5.1.dfsg-2.1ubuntu3.1
  nagios3-core                    3.5.1.dfsg-2.1ubuntu3.1

Ubuntu 16.04 LTS:
  nagios3-cgi                     3.5.1.dfsg-2.1ubuntu1.1
  nagios3-core                    3.5.1.dfsg-2.1ubuntu1.1

Ubuntu 14.04 LTS:
  nagios3-cgi                     3.5.1-1ubuntu1.1
  nagios3-core                    3.5.1-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3253-1

CVE-2013-7108, CVE-2013-7205, CVE-2014-1878, CVE-2016-9566

April 03, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.