Your message dated Sat, 20 May 2006 14:22:13 +0100
with message-id <[EMAIL PROTECTED]>
and subject line nagios cve-2006-2489 / cve-2006-2162
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: nagios
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-2489: "Integer overflow in CGI scripts in Nagios 1.x before
1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a content length
(Content-Length) HTTP header. NOTE: this is a different vulnerability
than CVE-2006-2162."
I understand that Sean is credited with the discovery and fix; I'm
filing this bug to keep track of the issue. I believe this affects the
Nagios package in sarge as well.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEbwm3Aud/2YgchcQRAlgmAJsFxM1WkFJAlHKWdU63reEMXBWZGgCgtbzi
mEC2c5/5Mited6YpHaAx6SY=
=uXcN
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Stefan Fritsch on 2006-05-20 15:03:30 +0200:
> Hi Alec,
>
> On Saturday 20 May 2006 14:08, Alec Berryman wrote:
> > * Critical Nagios remote vulnerability; Secunia says that Debian's
> > maintainer found it, but I'm going to file bugs to keep track of
> > things.
>
> this is fixed in the same versions as CVE-2006-2162. The discussion is
> in bugreports #366682 and #366683. I just commited to CVE/list.
Thanks for the catch - I missed that discussion - closing the new bugs.
pgpSFrhfcOrQ8.pgp
Description: PGP signature
--- End Message ---
