Your message dated Fri, 29 May 2026 17:34:45 +0000
with message-id <[email protected]>
and subject line Bug#1136340: fixed in nagios4 4.4.6-4.1+deb13u1
has caused the Debian Bug report #1136340,
regarding nagios4: CSRF vulnerability fixed upstream, unfixed in Debian
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136340
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nagios4
Version: 4.4.6-4.1
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Dear Maintainer,
the Nagios Core project recently patched a security vulnerability in its most
recent version 4.5.12, published on 2026-03-25. The fixed vulnerability is a
CSRF issue in the command CGI handler.
The issue does not (yet?) have a CVE, which is probably why this go unnoticed.
Please prepare a new version with the upstream fix, thanks!
Fix commit:
https://github.com/NagiosEnterprises/nagioscore/commit/e5ed38e53a5d65721520c7c67be0746d63da28cb
Additional relevant commits that add a config option to get the old, insecure
behavior back: https://github.com/NagiosEnterprises/nagioscore/pull/1055
Changelog mentioning the fix of the vulnerability:
https://github.com/NagiosEnterprises/nagioscore/blob/nagios-4.5.12/Changelog
Public disclosure, unfortunately no CVE:
https://www.nagios.com/security-disclosures/nagios-core/4-5-12/
-- System Information:
Debian Release: 13.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.14-200.fc43.x86_64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages nagios4 depends on:
ii nagios4-cgi 4.4.6-4.1
ii nagios4-common 4.4.6-4.1
ii nagios4-core 4.4.6-4.1
nagios4 recommends no packages.
Versions of packages nagios4 suggests:
pn nagios-nrpe-plugin <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: nagios4
Source-Version: 4.4.6-4.1+deb13u1
Done: Russell Stuart <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nagios4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Stuart <[email protected]> (supplier of updated nagios4
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2026 20:45:00 +1000
Source: nagios4
Architecture: source
Version: 4.4.6-4.1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Russell Stuart <[email protected]>
Changed-By: Russell Stuart <[email protected]>
Closes: 1136340
Changes:
nagios4 (4.4.6-4.1+deb13u1) trixie-security; urgency=high
.
* CSRF Security Fix backported from upstream 4.5.12 commit
e5ed38e53a5d65721520c7c67be0746d63da28cb (cgi/cmd.c and
html/index.php.in). See
https://www.nagios.com/security-disclosures/nagios-core/4-5-12/
for the upstream disclosure. No CVE assigned.
Closes: #1136340.
* This can break third party integrations that POST to cmd.cgi
without first setting NagFormId (the CSRF check fails). Upstream
PR 1055 has been added as a workaround - see README.Debian.
Checksums-Sha1:
c1b0108e69cff0d74ec64af26cf84146f7b9fe86 2018 nagios4_4.4.6-4.1+deb13u1.dsc
d52e26d6a17ac70f01d87e9329b20436fff1f1a7 11333414 nagios4_4.4.6.orig.tar.gz
b48adcbd2f63d199eb03d769be2fcc76c520213b 1096708
nagios4_4.4.6-4.1+deb13u1.debian.tar.xz
5626a8986527b8e1d94a08a61987bee654b28911 10635
nagios4_4.4.6-4.1+deb13u1_amd64.buildinfo
Checksums-Sha256:
e9b37737e230d4d71f690f810240a7752de5eb66db7416222f34926160f6a3a1 2018
nagios4_4.4.6-4.1+deb13u1.dsc
ab0d5a52caf01e6f4dcd84252c4eb5df5a24f90bb7f951f03875eef54f5ab0f4 11333414
nagios4_4.4.6.orig.tar.gz
34bfaed31da2010210c6075b232451aa07458b6294fb905a079c5fa99fa5f7b6 1096708
nagios4_4.4.6-4.1+deb13u1.debian.tar.xz
edc077506bca75988db36833bd62e6d5c0f358a3b181fb2cf44b41a0dc2bac1d 10635
nagios4_4.4.6-4.1+deb13u1_amd64.buildinfo
Files:
e9d8e9afb09efd1116aa5a613ad07396 2018 net optional
nagios4_4.4.6-4.1+deb13u1.dsc
ba849e9487e13859381eb117127bfee2 11333414 net optional
nagios4_4.4.6.orig.tar.gz
1d767764d53785148606dd5681c2a373 1096708 net optional
nagios4_4.4.6-4.1+deb13u1.debian.tar.xz
c6ce2ed927b777105d506936d316b690 10635 net optional
nagios4_4.4.6-4.1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZqiOeH6lCkTWvjmorNSfiF5UUm4FAmoVYEQACgkQrNSfiF5U
Um5zPRAAjNdjRjx+M27EQojMLBBsyoogUzIMH6qE/nfY63ytGbTjfgpPVFLLg5Cg
da2gB8j5glqGAy2s7y748VOxZ+LcY4es3TY/B/QGoXVLnMWhzx4LYvLFS0EBFHw4
cbeY0J7rVhp6tqdQakz6khjHlMamuz1d6pJJD8IHuWFuY8SLjRpWL/2s4TutvLun
S6Ig5mEnnmQLr7/4mwflEBZ1NaII0ULTMHTOQCV1nEPmljTffQ73vq1D5x9hCDTU
nlMrlpcmIQq3VnliEd3V17DsdJQGuWYtjZdlLxXaYHQFYMGUktUThW3vtCzQ54hl
TmP4RTlMJNQZAQAgETXLnnGuWpX8GpRHnvzqoUGyKzWZaG/n8syAnW6n2us4jzRf
PA68h2Q4ZN88WCvRsbnxiCKWBeMNbZ45zJ/gC4ue3tM9ywuuVTSLel4OaXFmxg8j
EVu3MB6Y8HOXneLiw6V1lfP0BVWgqKcWkalR63xtNYNMnmGDf3157qkEQc+x+6d3
vwLOQWeaKfqc1RmxeyT35yI17HsMgvClizGCajQRHHYh3meUPAUaAAK/IoXMDk6C
KhzRVaR5tVc2JwugPZGCRcnuskvMePuWTVwoTJeixv8kcEF1TW9UjU5yVr6EaIRZ
kCOINOMbHQUo7i9j8P8dVnXYsxA/U3xLR2i0H185xkESN88aSqI=
=iL4z
-----END PGP SIGNATURE-----
pgpa9Gb44jzFZ.pgp
Description: PGP signature
--- End Message ---
