Jose,The information you just provide, especially the quick hack solution is perfect and many thanks. I am not so much concerned about ourselves, we hack anything and everything that comes into our shop, but more thinking about others that are uncomfortable doing such changes.
Simple quick solutions are always the best till replacement code becomes available.
Cheers all, -R--On October 8, 2010 8:25:30 PM +0200 Jose Luis Martinez <[email protected]> wrote:
El 08/10/2010 19:51, Roberto R. Morelli escribió:Great, however the question has been answered, when is this going to be pushed out ? What is the date ?>Most repositories when a security issue has been identified and fixed, its pushed so that updaters can take advantage of it. The patch if not applied correctly, it will create more support problems then the fix it provides. Is Opsview team going to stop and help people trying to fix the problems created by applying the patch wrong ?From the information that has been exposed via the list: Only a user that is able to log in to the web interface AND has ADMIN ACCESS will be able to take advantage of the bug. I think that reduces the attack surface enough to NOT consider the bug Highly Critical, and really takes the threat level down. Do you not trust all the users that have ADMIN Access? Apply the patch. If you aren't comfortable with applying the patch, As a quick workaround, you can: chmod 000 /usr/local/nagios/nmis/cgi-bin/admin.pl to prevent the command injection. If you feel more comfortable doing it by hand: Just edit /usr/local/nagios/nmis/cgi-bin/admin.pl. Find "my $node = $q->param('node');", and insert these two lines after it: # Only allow valid node name characters through $node =~ s/[^\w\:\.-]//g; save, and no more bug. Just my 2 Cents. Jose Luis Martinez [email protected] _______________________________________________ Opsview-users mailing list [email protected] http://lists.opsview.org/lists/listinfo/opsview-users
-- -------------------------------- Roberto R. Morelli [email protected] Energy Sciences Network Lawrence Berkeley National Lab. 510-486-7255 PGP Key Fingerprint: F49F 1186 0E2B F591 1BF7 0538 79AA F8C7 7E8B 4562
pgpghjM4E40bL.pgp
Description: PGP signature
_______________________________________________ Opsview-users mailing list [email protected] http://lists.opsview.org/lists/listinfo/opsview-users
