Your message dated Sun, 5 Oct 2014 09:45:43 +0200
with message-id <[email protected]>
and subject line Re: Bug#708303: [Pkg-nagios-devel] Bug#708303: nagios3-cgi:
Don't Miss and Latest News result in insecure page warning from some browsers
has caused the Debian Bug report #708303,
regarding nagios3-cgi: Don't Miss and Latest News result in insecure page
warning from some browsers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
708303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708303
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nagios3-cgi
Version: 3.4.1-3
Severity: normal
Tags: upstream
(1) Install nagios3-cgi
(2) Tweak apache config to mount the web interface on an https URL, that is,
with SSL
(3) Visit the web interface at https://yourserver
At this point, the browser warns that some elements of the page are not
encrypted.
This warning can take the form of a modal dialog in some browsers and is
annoying
and confusing.
Looking at the 'net' panel in firebug reveals this URL being fetched:
http://assets.nagios.com/images/corepromos/2012-01-26-trainingsplash.jpg
The 'Latest News' RSS feed appears to be including images over plain HTTP
I've commented out lines 19-24 of /usr/share/nagios3/htdocs/main.php to work
around this.
Can we persuade upstream to serve this stuff over HTTPS? Or have an option to
disable
these feeds?
Happy to work on a patch for upstream or Debian depending on what you think
best.
-- System Information:
Debian Release: 7.0
Architecture: armhf (armv6l)
Kernel: Linux 3.6.11+ (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to
en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nagios3-cgi depends on:
ii adduser 3.113+nmu3
ii apache2-utils 2.2.22-13
ii coreutils 8.13-3.5
ii debconf [debconf-2.0] 1.5.49
ii libapache2-mod-php5 5.4.4-14
ii libc6 2.13-38+rpi2
ii libgd2-noxpm 2.0.36~rc1~dfsg-6.1
ii libjpeg8 8d-1
ii libpng12-0 1.2.49-1
ii nagios3-common 3.4.1-3
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages nagios3-cgi recommends:
ii apache2 2.2.22-13
ii apache2-mpm-prefork [httpd] 2.2.22-13
ii nagios-images 0.7
nagios3-cgi suggests no packages.
-- Configuration Files:
/etc/nagios3/cgi.cfg changed [not included]
-- debconf information:
nagios3/nagios1-in-apacheconf: false
nagios3/adminpassword-mismatch:
nagios3/httpd: apache2
--- End Message ---
--- Begin Message ---
fixed 708303 3.5.1-1
thanks
On Wed, 15 May 2013, Alexander Wirt wrote:
> On Tue, 14 May 2013, David North wrote:
>
> > Package: nagios3-cgi
> > Version: 3.4.1-3
> > Severity: normal
> > Tags: upstream
> >
> > (1) Install nagios3-cgi
> > (2) Tweak apache config to mount the web interface on an https URL, that
> > is, with SSL
> > (3) Visit the web interface at https://yourserver
> >
> > At this point, the browser warns that some elements of the page are not
> > encrypted.
> >
> > This warning can take the form of a modal dialog in some browsers and is
> > annoying
> > and confusing.
> >
> > Looking at the 'net' panel in firebug reveals this URL being fetched:
> >
> > http://assets.nagios.com/images/corepromos/2012-01-26-trainingsplash.jpg
> >
> > The 'Latest News' RSS feed appears to be including images over plain HTTP
> >
> > I've commented out lines 19-24 of /usr/share/nagios3/htdocs/main.php to
> > work around this.
> >
> > Can we persuade upstream to serve this stuff over HTTPS? Or have an option
> > to disable
> > these feeds?
> >
> > Happy to work on a patch for upstream or Debian depending on what you think
> > best.
> best would be a patch that patches this rss *censored* out.
With 3.5.1-1 I included a patch that disables that "feature", therefore I
should close this bug too.
Thanks
Alex
--- End Message ---