what you don't know can hurt you

Ubuntu Security Notice 287-1

Ubuntu Security Notice 287-1
Posted May 29, 2006
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 287-1: The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with an invalidly large Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges.

tags | advisory, remote, web, arbitrary, cgi
systems | linux, ubuntu
MD5 | 4adadba0298c4e39e2e1288d2f8a60e5

Ubuntu Security Notice 287-1

Change Mirror Download
===========================================================
Ubuntu Security Notice USN-287-1 May 29, 2006
nagios vulnerability
CVE-2006-2489
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

nagios-common

The problem can be corrected by upgrading the affected package to
version 2:1.3-0+pre6ubuntu0.2 (for Ubuntu 5.04), or
2:1.3-cvs.20050402-4ubuntu3.2 (for Ubuntu 5.10). In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

The nagios CGI scripts did not sufficiently check the validity of the
HTTP Content-Length attribute. By sending a specially crafted HTTP
request with an invalidly large Content-Length value to the Nagios
server, a remote attacker could exploit this to execute arbitrary code
with web server privileges.

Please note that the Apache 2 web server already checks for valid
Content-Length values, so installations using Apache 2 (the only web
server officially supported in Ubuntu) are not vulnerable to this
flaw.


Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-0+pre6ubuntu0.2.diff.gz
Size/MD5: 80449 1af54c94d8119c7838dd5daed1e50c9b
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-0+pre6ubuntu0.2.dsc
Size/MD5: 1010 7ce12d54ea17c24c898346995397e069
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3.orig.tar.gz
Size/MD5: 1625322 414d70e5269d5b8d7c21bf3ee129309f

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-0+pre6ubuntu0.2_all.deb
Size/MD5: 1213320 bb517ad62a0b4515b677fffa556086f9

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.2_amd64.deb
Size/MD5: 994506 a5115aa68e435a3727f066addedb20c7
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.2_amd64.deb
Size/MD5: 1006602 29d2add2204db681b02c6345bb23c8ee
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.2_amd64.deb
Size/MD5: 976218 026ea6069f7e240c501e40cc45d995a4

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.2_i386.deb
Size/MD5: 872622 88340a6009fa9ca6e19d1d83967d47d0
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.2_i386.deb
Size/MD5: 882350 26502350bfee23fbf3bba4297d4f73c1
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.2_i386.deb
Size/MD5: 857930 f8f30305908113a31559f24d11d6d36d

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.2_powerpc.deb
Size/MD5: 1003054 5710e195a858bd6e425e302dc1e8268b
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-0+pre6ubuntu0.2_powerpc.deb
Size/MD5: 1010828 585a23296ea4a6e29141fa6cc8c6c39e
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-0+pre6ubuntu0.2_powerpc.deb
Size/MD5: 970178 bcf95bae9783327b461f6c06dcfd6edb

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-4ubuntu3.2.diff.gz
Size/MD5: 73095 6415cb60826aacb697b6d5e8e2ce2987
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-4ubuntu3.2.dsc
Size/MD5: 1039 40c86a1a990d82fa0c5608ad6d73c0d5
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402.orig.tar.gz
Size/MD5: 1621251 0f92b7b8e705411b7881d3650cbb5d56

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-cvs.20050402-4ubuntu3.2_all.deb
Size/MD5: 1221338 8242fbb490a4f669f3f06eddb2b6439e

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.2_amd64.deb
Size/MD5: 1030086 4833dee00a8e7dd04469fcda70184cf6
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-4ubuntu3.2_amd64.deb
Size/MD5: 1041982 bfe2bee8ee08e6e45cce8bf905736e3b
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-4ubuntu3.2_amd64.deb
Size/MD5: 1025714 c3f7679dd7e03cc7ef91178bb8943af1

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.2_i386.deb
Size/MD5: 879066 4c9e26642676ae206c90cd68b44ec538
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-4ubuntu3.2_i386.deb
Size/MD5: 888082 ce822ce820e27ef762682cd97dbbb337
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-4ubuntu3.2_i386.deb
Size/MD5: 873920 3e1d92b025ae309f46b2d691b51db02b

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.2_powerpc.deb
Size/MD5: 1016168 11c4008421bfc4e55bea551e2fc8790d
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-pgsql_1.3-cvs.20050402-4ubuntu3.2_powerpc.deb
Size/MD5: 1025252 6b5d28ba018cb646d8b8841d99d7a728
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-text_1.3-cvs.20050402-4ubuntu3.2_powerpc.deb
Size/MD5: 993540 a89f026455e66828508e498f1c407356

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close