what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2014-004

Mandriva Linux Security Advisory 2014-004
Posted Jan 16, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-004 - Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service via a long string in the last key value in the variable list to the process_cgivars function in extinfo.c, status.c, trends.c in cgi/, which triggers a heap-based buffer over-read. Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, cgi
systems | linux, mandriva
advisories | CVE-2013-7108, CVE-2013-7205
SHA-256 | 2a8a2c2fafea3404e1ed0dab309c14b4a4dc58b3300bfb3a8153d0ae8063119f

Mandriva Linux Security Advisory 2014-004

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:004
https://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : nagios
Date : January 16, 2014
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in nagios:

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier,
and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2
allow remote authenticated users to obtain sensitive information from
process memory or cause a denial of service (crash) via a long string
in the last key value in the variable list to the process_cgivars
function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c,
(5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c,
(9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which
triggers a heap-based buffer over-read (CVE-2013-7108).

Off-by-one error in the process_cgivars function in contrib/daemonchk.c
in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated
users to obtain sensitive information from process memory or cause
a denial of service (crash) via a long string in the last key value
in the variable list, which triggers a heap-based buffer over-read
(CVE-2013-7205).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7205
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
b0f9766b9c800cabc2d48c3cd6a0d754 mes5/i586/nagios-3.1.2-0.5mdvmes5.2.i586.rpm
250e0e806816abe05be0d6492800d15c mes5/i586/nagios-devel-3.1.2-0.5mdvmes5.2.i586.rpm
4e38af03680cdaf6943a3cda473147e7 mes5/i586/nagios-theme-default-3.1.2-0.5mdvmes5.2.i586.rpm
1b34d425d31cd67ce1e119dbbe1d2a34 mes5/i586/nagios-www-3.1.2-0.5mdvmes5.2.i586.rpm
54aa5cd353453a0400674ab7d92b3154 mes5/SRPMS/nagios-3.1.2-0.5mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
b748f8bd42b90b12d57370aabfef21b9 mes5/x86_64/nagios-3.1.2-0.5mdvmes5.2.x86_64.rpm
346d9552cc42bd664e99006bcfd15730 mes5/x86_64/nagios-devel-3.1.2-0.5mdvmes5.2.x86_64.rpm
4cb14dea2cf09787d2d187969cc00590 mes5/x86_64/nagios-theme-default-3.1.2-0.5mdvmes5.2.x86_64.rpm
d66f5f485845c0039d8083d0af38379f mes5/x86_64/nagios-www-3.1.2-0.5mdvmes5.2.x86_64.rpm
54aa5cd353453a0400674ab7d92b3154 mes5/SRPMS/nagios-3.1.2-0.5mdvmes5.2.src.rpm

Mandriva Business Server 1/X86_64:
25b21259455d7fd14f58191c136490d5 mbs1/x86_64/nagios-3.4.4-4.1.mbs1.x86_64.rpm
368959c2c78bd6bf48ed10d84e440d0c mbs1/x86_64/nagios-devel-3.4.4-4.1.mbs1.x86_64.rpm
cfd069de34d3de15f7b80bb5ffb07d8c mbs1/x86_64/nagios-www-3.4.4-4.1.mbs1.x86_64.rpm
4db6f650ab30c32be4a7ab574d0c8225 mbs1/SRPMS/nagios-3.4.4-4.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

https://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD4DBQFS19vmmqjQ0CJFipgRAlFYAJ9xfMNIFUkECvfs5uTpy97yRE31VwCXcVjC
8WDQGFeiI1jbLTbleK4TBg==
=DSkb
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close