Mandriva Linux Security Advisory 2013-028 - Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long host_name variable svc_description variable. The updated packages have been patched to correct this issue.
92159bed908d90201ccd67aa806df2fd0aee85b7350ebb73a865dc48241f7458
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:028
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : nagios
Date : March 18, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in nagios:
Multiple stack-based buffer overflows in the get_history function
in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before
1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote
attackers to execute arbitrary code via a long (1) host_name variable
(host parameter) or (2) svc_description variable (CVE-2012-6096).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6096
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
dabb598af3a93d05169d3dab9f12b69d mes5/i586/nagios-3.1.2-0.4mdvmes5.2.i586.rpm
df33f1ed27f9d74f3fa4ea5d4a347c70 mes5/i586/nagios-devel-3.1.2-0.4mdvmes5.2.i586.rpm
d1ea00c20f13f6d9aa7773f4f137ebeb mes5/i586/nagios-theme-default-3.1.2-0.4mdvmes5.2.i586.rpm
ab09d902b27ca0da9230b9cb4d9a5f8f mes5/i586/nagios-www-3.1.2-0.4mdvmes5.2.i586.rpm
b95930b57fbb2d8560e26132f53ca233 mes5/SRPMS/nagios-3.1.2-0.4mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
5d12b28e4d7f5a523c95853faade8325 mes5/x86_64/nagios-3.1.2-0.4mdvmes5.2.x86_64.rpm
a83093a3df1b226ed8c612091e4446e6 mes5/x86_64/nagios-devel-3.1.2-0.4mdvmes5.2.x86_64.rpm
ab9ed42f03f622cee342cffa2016a408 mes5/x86_64/nagios-theme-default-3.1.2-0.4mdvmes5.2.x86_64.rpm
091de2efcc2767e53be2a6206f58a0ed mes5/x86_64/nagios-www-3.1.2-0.4mdvmes5.2.x86_64.rpm
b95930b57fbb2d8560e26132f53ca233 mes5/SRPMS/nagios-3.1.2-0.4mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFRRsFbmqjQ0CJFipgRAtU2AJ42QBioKwJS6mwIfZbOl6phJZox9wCfcv1X
WgtsHlxL/pqZ5Ud5qh1OJnA=
=Mxrq
-----END PGP SIGNATURE-----