nagios-4.4.6-2.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11073-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z nagios-4.4.6-2.5 on GA media These are all security issues fixed in the nagios-4.4.6-2.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11073 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2006-2162/ SUSE CVE CVE-2006-2162 page https://www.suse.com/security/cve/CVE-2007-5803/ SUSE CVE CVE-2007-5803 page https://www.suse.com/security/cve/CVE-2008-4796/ SUSE CVE CVE-2008-4796 page https://www.suse.com/security/cve/CVE-2011-1523/ SUSE CVE CVE-2011-1523 page https://www.suse.com/security/cve/CVE-2013-2214/ SUSE CVE CVE-2013-2214 page https://www.suse.com/security/cve/CVE-2013-4214/ SUSE CVE CVE-2013-4214 page https://www.suse.com/security/cve/CVE-2013-7108/ SUSE CVE CVE-2013-7108 page https://www.suse.com/security/cve/CVE-2014-1878/ SUSE CVE CVE-2014-1878 page https://www.suse.com/security/cve/CVE-2016-0726/ SUSE CVE CVE-2016-0726 page https://www.suse.com/security/cve/CVE-2016-6209/ SUSE CVE CVE-2016-6209 page https://www.suse.com/security/cve/CVE-2016-8641/ SUSE CVE CVE-2016-8641 page https://www.suse.com/security/cve/CVE-2016-9566/ SUSE CVE CVE-2016-9566 page https://www.suse.com/security/cve/CVE-2017-12847/ SUSE CVE CVE-2017-12847 page https://www.suse.com/security/cve/CVE-2018-13441/ SUSE CVE CVE-2018-13441 page https://www.suse.com/security/cve/CVE-2018-18245/ SUSE CVE CVE-2018-18245 page https://www.suse.com/security/cve/CVE-2019-3698/ SUSE CVE CVE-2019-3698 page https://www.suse.com/security/cve/CVE-2020-13977/ SUSE CVE CVE-2020-13977 page openSUSE Tumbleweed nagios-4.4.6-2.5 nagios-contrib-4.4.6-2.5 nagios-devel-4.4.6-2.5 nagios-theme-exfoliation-4.4.6-2.5 nagios-www-4.4.6-2.5 nagios-www-dch-4.4.6-2.5 nagios-4.4.6-2.5 as a component of openSUSE Tumbleweed nagios-contrib-4.4.6-2.5 as a component of openSUSE Tumbleweed nagios-devel-4.4.6-2.5 as a component of openSUSE Tumbleweed nagios-theme-exfoliation-4.4.6-2.5 as a component of openSUSE Tumbleweed nagios-www-4.4.6-2.5 as a component of openSUSE Tumbleweed nagios-www-dch-4.4.6-2.5 as a component of openSUSE Tumbleweed Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. CVE-2006-2162 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-2162.html CVE-2006-2162 https://bugzilla.suse.com/140494 SUSE Bug 140494 Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360. CVE-2007-5803 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-5803.html CVE-2007-5803 https://bugzilla.suse.com/339447 SUSE Bug 339447 The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. CVE-2008-4796 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4796.html CVE-2008-4796 https://bugzilla.suse.com/1015744 SUSE Bug 1015744 https://bugzilla.suse.com/1016483 SUSE Bug 1016483 Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter. CVE-2011-1523 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1523.html CVE-2011-1523 https://bugzilla.suse.com/682966 SUSE Bug 682966 https://bugzilla.suse.com/697895 SUSE Bug 697895 status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid style in status.cgi. NOTE: this behavior is by design in most 3.x versions, but the upstream vendor "decided to change it for Nagios 4" and 3.5.1. CVE-2013-2214 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2214.html CVE-2013-2214 https://bugzilla.suse.com/827020 SUSE Bug 827020 rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache. CVE-2013-4214 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 6.3 AV:L/AC:M/Au:N/C:N/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4214.html CVE-2013-4214 https://bugzilla.suse.com/845536 SUSE Bug 845536 Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read. CVE-2013-7108 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-7108.html CVE-2013-7108 https://bugzilla.suse.com/856837 SUSE Bug 856837 Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. CVE-2014-1878 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1878.html CVE-2014-1878 https://bugzilla.suse.com/864843 SUSE Bug 864843 The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. CVE-2016-0726 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0726.html CVE-2016-0726 https://bugzilla.suse.com/961115 SUSE Bug 961115 Cross-site scripting (XSS) vulnerability in Nagios. CVE-2016-6209 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6209.html CVE-2016-6209 https://bugzilla.suse.com/989759 SUSE Bug 989759 A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change. CVE-2016-8641 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8641.html CVE-2016-8641 https://bugzilla.suse.com/1011630 SUSE Bug 1011630 https://bugzilla.suse.com/1018047 SUSE Bug 1018047 base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. CVE-2016-9566 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 important 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9566.html CVE-2016-9566 https://bugzilla.suse.com/1014637 SUSE Bug 1014637 Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command. CVE-2017-12847 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 4.6 AV:L/AC:L/Au:S/C:N/I:N/A:C 6.3 AV:L/AC:M/Au:N/C:N/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12847.html CVE-2017-12847 https://bugzilla.suse.com/1054163 SUSE Bug 1054163 qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. CVE-2018-13441 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-13441.html CVE-2018-13441 https://bugzilla.suse.com/1101293 SUSE Bug 1101293 Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE. CVE-2018-18245 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18245.html CVE-2018-18245 https://bugzilla.suse.com/1119832 SUSE Bug 1119832 UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux Enterprise Server 12 nagios version 3.5.1-5.27 and prior versions. SUSE Linux Enterprise Server 11 nagios version 3.0.6-1.25.36.3.1 and prior versions. openSUSE Factory nagios version 4.4.5-2.1 and prior versions. CVE-2019-3698 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-3698.html CVE-2019-3698 https://bugzilla.suse.com/1150550 SUSE Bug 1150550 https://bugzilla.suse.com/1156309 SUSE Bug 1156309 Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408. CVE-2020-13977 openSUSE Tumbleweed:nagios-4.4.6-2.5 openSUSE Tumbleweed:nagios-contrib-4.4.6-2.5 openSUSE Tumbleweed:nagios-devel-4.4.6-2.5 openSUSE Tumbleweed:nagios-theme-exfoliation-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-4.4.6-2.5 openSUSE Tumbleweed:nagios-www-dch-4.4.6-2.5 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-13977.html CVE-2020-13977 https://bugzilla.suse.com/1172794 SUSE Bug 1172794