Your message dated Sun, 5 Oct 2014 09:45:43 +0200
with message-id <[email protected]>
and subject line Re: Bug#708303: [Pkg-nagios-devel] Bug#708303: nagios3-cgi: 
Don't Miss and Latest News result in insecure page warning from some browsers
has caused the Debian Bug report #708303,
regarding nagios3-cgi: Don't Miss and Latest News result in insecure page 
warning from some browsers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
708303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708303
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nagios3-cgi
Version: 3.4.1-3
Severity: normal
Tags: upstream

(1) Install nagios3-cgi
(2) Tweak apache config to mount the web interface on an https URL, that is, 
with SSL
(3) Visit the web interface at https://yourserver

At this point, the browser warns that some elements of the page are not 
encrypted.

This warning can take the form of a modal dialog in some browsers and is 
annoying
and confusing.

Looking at the 'net' panel in firebug reveals this URL being fetched:

http://assets.nagios.com/images/corepromos/2012-01-26-trainingsplash.jpg

The 'Latest News' RSS feed appears to be including images over plain HTTP

I've commented out lines 19-24 of /usr/share/nagios3/htdocs/main.php to work 
around this.

Can we persuade upstream to serve this stuff over HTTPS? Or have an option to 
disable
these feeds?

Happy to work on a patch for upstream or Debian depending on what you think 
best.

-- System Information:
Debian Release: 7.0
Architecture: armhf (armv6l)

Kernel: Linux 3.6.11+ (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to 
en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nagios3-cgi depends on:
ii  adduser                3.113+nmu3
ii  apache2-utils          2.2.22-13
ii  coreutils              8.13-3.5
ii  debconf [debconf-2.0]  1.5.49
ii  libapache2-mod-php5    5.4.4-14
ii  libc6                  2.13-38+rpi2
ii  libgd2-noxpm           2.0.36~rc1~dfsg-6.1
ii  libjpeg8               8d-1
ii  libpng12-0             1.2.49-1
ii  nagios3-common         3.4.1-3
ii  ucf                    3.0025+nmu3
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages nagios3-cgi recommends:
ii  apache2                      2.2.22-13
ii  apache2-mpm-prefork [httpd]  2.2.22-13
ii  nagios-images                0.7

nagios3-cgi suggests no packages.

-- Configuration Files:
/etc/nagios3/cgi.cfg changed [not included]

-- debconf information:
  nagios3/nagios1-in-apacheconf: false
  nagios3/adminpassword-mismatch:
  nagios3/httpd: apache2

--- End Message ---
--- Begin Message ---
fixed 708303 3.5.1-1
thanks

On Wed, 15 May 2013, Alexander Wirt wrote:

> On Tue, 14 May 2013, David North wrote:
> 
> > Package: nagios3-cgi
> > Version: 3.4.1-3
> > Severity: normal
> > Tags: upstream
> > 
> > (1) Install nagios3-cgi
> > (2) Tweak apache config to mount the web interface on an https URL, that 
> > is, with SSL
> > (3) Visit the web interface at https://yourserver
> > 
> > At this point, the browser warns that some elements of the page are not 
> > encrypted.
> > 
> > This warning can take the form of a modal dialog in some browsers and is 
> > annoying
> > and confusing.
> > 
> > Looking at the 'net' panel in firebug reveals this URL being fetched:
> > 
> > http://assets.nagios.com/images/corepromos/2012-01-26-trainingsplash.jpg
> > 
> > The 'Latest News' RSS feed appears to be including images over plain HTTP
> > 
> > I've commented out lines 19-24 of /usr/share/nagios3/htdocs/main.php to 
> > work around this.
> > 
> > Can we persuade upstream to serve this stuff over HTTPS? Or have an option 
> > to disable
> > these feeds?
> > 
> > Happy to work on a patch for upstream or Debian depending on what you think 
> > best.
> best would be a patch that patches this rss *censored* out. 
With 3.5.1-1 I included a patch that disables that "feature", therefore I
should close this bug too.

Thanks
Alex

--- End Message ---

Reply via email to