Processed: Re: Bug#728461: pu: package nagios3/3.4.1-3+deb7u1
Processing control commands: > tag -1 pending Bug #728461 [release.debian.org] pu: package nagios3/3.4.1-3+deb7u1 Added tag(s) pending. -- 728461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728461 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b728461.13852983169581.transcr...@bugs.debian.org
Bug#728461: pu: package nagios3/3.4.1-3+deb7u1
Control: tag -1 pending On 2013-11-17 14:51, Jonas Meurer wrote: Am 15.11.2013 23:30, schrieb Jonathan Wiltshire: On 2013-11-01 14:45, Jonas Meurer wrote: the nagios3 package in wheezy suffers from at least one minor security bug and a regression. I prepared nagios3/3.4.1+deb7u1 for wheezy proposed-updates in order to fix both of them. Additionally two non-intrusive fixes in the initscript are included: a typo and another regression. I consider the fixes for #680615 and #714171 as pretty important. Thus I suggest to push the pu to wheezy-updates. So do you agree to upload the prepared packages to pu? And furthermore, do you agree to push it to wheezy-updates as well? Please go ahead to Wheezy. I don't think there is a great need to use wheezy-updates as well. Thanks a lot for looking into this. Just uploaded to wheezy. Flagged for acceptance. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghits -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5c496633f174be7c9781f9a9d73c3...@hogwarts.powdarrmonkey.net
Bug#728461: pu: package nagios3/3.4.1-3+deb7u1
On 2013-11-17 14:51, Jonas Meurer wrote: How is the bug-handling procedure? Do you close the bugreport once the package received in wheezy-proposed-updates, or shall I monitor and close it? Neither of the above. :-) We will close the bug once the package has been included in a point release. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ab348c1ce51a26cc122607b07fbe0...@mail.adsl.funky-badger.org
Bug#728461: pu: package nagios3/3.4.1-3+deb7u1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Am 15.11.2013 23:30, schrieb Jonathan Wiltshire: > On 2013-11-01 14:45, Jonas Meurer wrote: >> the nagios3 package in wheezy suffers from at least one minor >> security bug and a regression. I prepared nagios3/3.4.1+deb7u1 >> for wheezy proposed-updates in order to fix both of them. >> >> Additionally two non-intrusive fixes in the initscript are >> included: a typo and another regression. >> >> I consider the fixes for #680615 and #714171 as pretty important. >> Thus I suggest to push the pu to wheezy-updates. >> >> So do you agree to upload the prepared packages to pu? And >> furthermore, do you agree to push it to wheezy-updates as well? > > Please go ahead to Wheezy. I don't think there is a great need to > use wheezy-updates as well. Thanks a lot for looking into this. Just uploaded to wheezy. How is the bug-handling procedure? Do you close the bugreport once the package received in wheezy-proposed-updates, or shall I monitor and close it? Kind regards, jonas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSiNf6AAoJEBvzc5c7ZRqnH4gQAMq9XfxDwHsSyjyUPcZEzZ5j h8YGH2ctPfV8LJT0xBKKDHkPeij7fkv112qXfE8PCOmhZ8ZcTrE8dhbXxn2UuAYr 1G2fu6lOLa/5eakWkWshxivmHNz4/3TB0PaRmvqAUGqwOEtM110ADcu60vbwfNKK EJexzC3gIjDhzPVwWT7F1A1tJhNYpWLLdUbrbb6wt6m5H6GKUfVNdFcN9CLRB96N qiZ9QNXsXHn364eP3IynU9K98PFFrxLkwzkm3oGPnkwm1cAbrrpgvBcscsdZSa45 gKc3qzovhaVcNBzsd8frq77rrYxALRc9ZAy7rVkVIEWImh35xLCbGOrzG9QveSbJ nZbbo22orTeHGpvIpC5WDKCag+3IO5DcoZE/Xu8EvJRNDc54zi+Gzyvb/4RcXZ7T mjZyWTKKNeb8grqgyxBPbYsWGt/BILUxnsh1oagp+a+HrtuvhFU0Pzrnst+/HTbu kG98tWccfKvGkkZu+8RFA026KJndu/JDYU+swYcBNpWrSA363rSThevfZgElU3S9 F1iBiecc9UrsIQTFSn/igelgiWC1zN63Uf7TVEJ/ssWjE7lsiHMWJfWCx9lAOqYQ nmNzRWUkRs2NPhyRBhXqnCypLbXPQMhrvg3nmyqWNP5Ip0+wqgPMN5CKfuRZfunv NLYUpdyk/XUV3WRFnkei =69uk -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5288d803.1090...@freesources.org
Bug#728461: pu: package nagios3/3.4.1-3+deb7u1
Control: tag -1 + confirmed Hi, On 2013-11-01 14:45, Jonas Meurer wrote: the nagios3 package in wheezy suffers from at least one minor security bug and a regression. I prepared nagios3/3.4.1+deb7u1 for wheezy proposed-updates in order to fix both of them. Additionally two non-intrusive fixes in the initscript are included: a typo and another regression. I consider the fixes for #680615 and #714171 as pretty important. Thus I suggest to push the pu to wheezy-updates. So do you agree to upload the prepared packages to pu? And furthermore, do you agree to push it to wheezy-updates as well? Please go ahead to Wheezy. I don't think there is a great need to use wheezy-updates as well. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghits -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5c2ecfeebdc5bb8822c328d68aab2...@hogwarts.powdarrmonkey.net
Processed: Re: Bug#728461: pu: package nagios3/3.4.1-3+deb7u1
Processing control commands: > tag -1 + confirmed Bug #728461 [release.debian.org] pu: package nagios3/3.4.1-3+deb7u1 Added tag(s) confirmed. -- 728461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728461 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b728461.138455524216283.transcr...@bugs.debian.org
Bug#728461: pu: package nagios3/3.4.1-3+deb7u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hello, the nagios3 package in wheezy suffers from at least one minor security bug and a regression. I prepared nagios3/3.4.1+deb7u1 for wheezy proposed-updates in order to fix both of them. Additionally two non-intrusive fixes in the initscript are included: a typo and another regression. I consider the fixes for #680615 and #714171 as pretty important. Thus I suggest to push the pu to wheezy-updates. So do you agree to upload the prepared packages to pu? And furthermore, do you agree to push it to wheezy-updates as well? Below's the changelog, please find the full debdiff attached. nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low * Backport the following changes to wheezy: * [cd50049] Add missing check command in initscript (Closes: #680615) * [77c9d0e] Fix typo in initscript * [a2c78a1] Stop status.cgi from listing unauthorized hosts and services in servicegroup view (CVE-2013-2214) Thanks to Jonas Meurer for the report and the patch (Closes: #714171) * [51fb59b] Backport upstream r1953 to fix downtime retention across restarts. Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356) -- Jonas Meurer Fri, 01 Nov 2013 14:32:18 +0100 Kind regards, jonas diff -u nagios3-3.4.1/debian/changelog nagios3-3.4.1/debian/changelog --- nagios3-3.4.1/debian/changelog +++ nagios3-3.4.1/debian/changelog @@ -1,3 +1,15 @@ +nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low + + * Backport the following changes to wheezy: + * [cd50049] Add missing check command in initscript (Closes: #680615) + * [77c9d0e] Fix typo in initscript + * [a2c78a1] Stop status.cgi from listing unauthorized hosts and services in servicegroup view (CVE-2013-2214) +Thanks to Jonas Meurer for the report and the patch (Closes: #714171) + * [51fb59b] Backport upstream r1953 to fix downtime retention across restarts. +Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356) + + -- Jonas Meurer Fri, 01 Nov 2013 14:32:18 +0100 + nagios3 (3.4.1-3) unstable; urgency=low * Fix several overflows in getcgi.cgi and history.cgi diff -u nagios3-3.4.1/debian/nagios3-common.nagios3.init nagios3-3.4.1/debian/nagios3-common.nagios3.init --- nagios3-3.4.1/debian/nagios3-common.nagios3.init +++ nagios3-3.4.1/debian/nagios3-common.nagios3.init @@ -126,7 +126,7 @@ start () { if [ "$ENABLED" = "no" ]; then - log_warning_msg "Not starting Nagios3 - set ENABLED to yes in /etc/defrault/nagios3" + log_warning_msg "Not starting Nagios3 - set ENABLED to yes in /etc/default/nagios3" exit 0 fi @@ -212,6 +212,10 @@ fi } +check() { +$DAEMON -v $NAGIOSCFG +} + case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" diff -u nagios3-3.4.1/debian/patches/00list nagios3-3.4.1/debian/patches/00list --- nagios3-3.4.1/debian/patches/00list +++ nagios3-3.4.1/debian/patches/00list @@ -11,0 +12,2 @@ +99_security_status_cgi_servicegroup.dpatch +999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch only in patch2: unchanged: --- nagios3-3.4.1.orig/debian/patches/99_security_status_cgi_servicegroup.dpatch +++ nagios3-3.4.1/debian/patches/99_security_status_cgi_servicegroup.dpatch @@ -0,0 +1,56 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Stop cgi-bin/status.c from listing unauthorized hosts and +## DP: services in servicegroup view +## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios3-3.4.1~/cgi/status.c nagios3-3.4.1/cgi/status.c +--- nagios3-3.4.1~/cgi/status.c2012-02-13 21:40:42.0 +0100 nagios3-3.4.1/cgi/status.c 2013-06-26 16:52:37.668132234 +0200 +@@ -2534,6 +2534,10 @@ + if(temp_host == NULL) + continue; + ++ /* make sure user has rights to view this host */ ++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE) ++ continue; ++ + /* skip this if it isn't a new host... */ + if(temp_host == last_host) + continue; +@@ -2739,6 +2743,10 @@ + if(temp_host == NULL) + continue; + ++ /* make sure user has rights to view this host */ ++ if(is_authorized_for_host(temp_host, ¤t_authdata) == FALSE) ++ continue; ++ + /* skip this if it isn't a new host... */ + if(temp_host == last_host) + continue; +@@ -2918,6 +2926,10 @@ + if(temp_service == NULL) + continue; + ++ /* make sure user has rights to