[RHSA-2017:0213-01] Important: nagios security update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: nagios security update

Advisory ID: RHSA-2017:0213-01

Product: Red Hat Enterprise Linux OpenStack Platform

Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0213.html

Issue date: 2017-01-31

CVE Names: CVE-2008-7313 CVE-2014-5008 CVE-2014-5009

CVE-2016-9565 CVE-2016-9566

=====================================================================

 

1. Summary:

 

An update for nagios is now available for Red Hat Enterprise Linux

OpenStack Platform 6.0 (Juno) for RHEL 7.

 

Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 - x86_64

 

3. Description:

 

Nagios is a program that monitors hosts and services on your network, and

has the ability to send email or page alerts when a problem arises or is

resolved. Nagios is written in C and designed to run under Linux (and some

other *NIX variants) as a background process, intermittently running checks

on various services that you specify. The actual service checks are

performed by separate "plugin" programs which return the status of the

checks to Nagios. Nagios plugins are available at

http://sourceforge.net/projects/nagiosplug. This package provides the core

program, web interface, and documentation files for Nagios. Development

files are built as a separate package.

 

Security Fix(es):

 

* Various command-execution flaws were found in the Snoopy library included

with Nagios. These flaws allowed remote attackers to execute arbitrary

commands by manipulating Nagios HTTP headers. (CVE-2008-7313,

CVE-2014-5008, CVE-2014-5009)

 

* It was found that an attacker who could control the content of an RSS

feed could execute code remotely using the Nagios web interface. This flaw

could be used to gain access to the remote system and in some scenarios

control over the system. (CVE-2016-9565)

 

* A privileges flaw was found in Nagios where log files were unsafely

handled. An attacker who could control Nagios logging configuration

('nagios' user/group) could exploit the flaw to elevate their access to

that of a privileged user. (CVE-2016-9566)

 

Red Hat would like to thank Dawid Golunski for reporting CVE-2016-9565 and

CVE-2016-9566.

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1121497 - CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws

1402869 - CVE-2016-9566 nagios: Privilege escalation issue

1405363 - CVE-2016-9565 nagios: Command injection via curl in MagpieRSS

 

6. Package List:

 

Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7:

 

Source:

nagios-3.5.1-9.el7.src.rpm

 

x86_64:

nagios-3.5.1-9.el7.x86_64.rpm

nagios-common-3.5.1-9.el7.x86_64.rpm

nagios-debuginfo-3.5.1-9.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2008-7313

https://access.redhat.com/security/cve/CVE-2014-5008

https://access.redhat.com/security/cve/CVE-2014-5009

https://access.redhat.com/security/cve/CVE-2016-9565

https://access.redhat.com/security/cve/CVE-2016-9566

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFYkCboXlSAg2UNWIIRAsmUAJ4tJSZySTUHya4D1w27YCjsm+FAuQCdFWk3

0H0wbFF90Xpv7BMPSYQMwjU=

=LJos

-----END PGP SIGNATURE-----

 

 

--