Processed: Re: Bug#728461: pu: package nagios3/3.4.1-3+deb7u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #728461 [release.debian.org] pu: package nagios3/3.4.1-3+deb7u1
Added tag(s) pending.

-- 
728461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728461
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b728461.13852983169581.transcr...@bugs.debian.org

Bug#728461: pu: package nagios3/3.4.1-3+deb7u1

[Jonathan Wiltshire]

Control: tag -1 pending

On 2013-11-17 14:51, Jonas Meurer wrote:

Am 15.11.2013 23:30, schrieb Jonathan Wiltshire:

On 2013-11-01 14:45, Jonas Meurer wrote:

the nagios3 package in wheezy suffers from at least one minor
security bug and a regression. I prepared nagios3/3.4.1+deb7u1
for wheezy proposed-updates in order to fix both of them.

Additionally two non-intrusive fixes in the initscript are
included: a typo and another regression.

I consider the fixes for #680615 and #714171 as pretty important.
Thus I suggest to push the pu to wheezy-updates.

So do you agree to upload the prepared packages to pu? And
furthermore, do you agree to push it to wheezy-updates as well?


Please go ahead to Wheezy. I don't think there is a great need to
use wheezy-updates as well.


Thanks a lot for looking into this. Just uploaded to wheezy.


Flagged for acceptance.

Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/5c496633f174be7c9781f9a9d73c3...@hogwarts.powdarrmonkey.net

Bug#728461: pu: package nagios3/3.4.1-3+deb7u1

[Adam D. Barratt]

On 2013-11-17 14:51, Jonas Meurer wrote:

How is
the bug-handling procedure? Do you close the bugreport once the
package received in wheezy-proposed-updates, or shall I monitor and
close it?


Neither of the above. :-)

We will close the bug once the package has been included in a point 
release.


Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/ab348c1ce51a26cc122607b07fbe0...@mail.adsl.funky-badger.org

Bug#728461: pu: package nagios3/3.4.1-3+deb7u1

[Jonas Meurer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

Am 15.11.2013 23:30, schrieb Jonathan Wiltshire:
> On 2013-11-01 14:45, Jonas Meurer wrote:
>> the nagios3 package in wheezy suffers from at least one minor
>> security bug and a regression. I prepared nagios3/3.4.1+deb7u1
>> for wheezy proposed-updates in order to fix both of them.
>> 
>> Additionally two non-intrusive fixes in the initscript are
>> included: a typo and another regression.
>> 
>> I consider the fixes for #680615 and #714171 as pretty important.
>> Thus I suggest to push the pu to wheezy-updates.
>> 
>> So do you agree to upload the prepared packages to pu? And
>> furthermore, do you agree to push it to wheezy-updates as well?
> 
> Please go ahead to Wheezy. I don't think there is a great need to
> use wheezy-updates as well.

Thanks a lot for looking into this. Just uploaded to wheezy. How is
the bug-handling procedure? Do you close the bugreport once the
package received in wheezy-proposed-updates, or shall I monitor and
close it?

Kind regards,
 jonas

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSiNf6AAoJEBvzc5c7ZRqnH4gQAMq9XfxDwHsSyjyUPcZEzZ5j
h8YGH2ctPfV8LJT0xBKKDHkPeij7fkv112qXfE8PCOmhZ8ZcTrE8dhbXxn2UuAYr
1G2fu6lOLa/5eakWkWshxivmHNz4/3TB0PaRmvqAUGqwOEtM110ADcu60vbwfNKK
EJexzC3gIjDhzPVwWT7F1A1tJhNYpWLLdUbrbb6wt6m5H6GKUfVNdFcN9CLRB96N
qiZ9QNXsXHn364eP3IynU9K98PFFrxLkwzkm3oGPnkwm1cAbrrpgvBcscsdZSa45
gKc3qzovhaVcNBzsd8frq77rrYxALRc9ZAy7rVkVIEWImh35xLCbGOrzG9QveSbJ
nZbbo22orTeHGpvIpC5WDKCag+3IO5DcoZE/Xu8EvJRNDc54zi+Gzyvb/4RcXZ7T
mjZyWTKKNeb8grqgyxBPbYsWGt/BILUxnsh1oagp+a+HrtuvhFU0Pzrnst+/HTbu
kG98tWccfKvGkkZu+8RFA026KJndu/JDYU+swYcBNpWrSA363rSThevfZgElU3S9
F1iBiecc9UrsIQTFSn/igelgiWC1zN63Uf7TVEJ/ssWjE7lsiHMWJfWCx9lAOqYQ
nmNzRWUkRs2NPhyRBhXqnCypLbXPQMhrvg3nmyqWNP5Ip0+wqgPMN5CKfuRZfunv
NLYUpdyk/XUV3WRFnkei
=69uk
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5288d803.1090...@freesources.org

Bug#728461: pu: package nagios3/3.4.1-3+deb7u1

[Jonathan Wiltshire]

Control: tag -1 + confirmed

Hi,

On 2013-11-01 14:45, Jonas Meurer wrote:

the nagios3 package in wheezy suffers from at least one minor security
bug and a regression. I prepared nagios3/3.4.1+deb7u1 for wheezy
proposed-updates in order to fix both of them.

Additionally two non-intrusive fixes in the initscript are included: a
typo and another regression.

I consider the fixes for #680615 and #714171 as pretty important. Thus 
I

suggest to push the pu to wheezy-updates.

So do you agree to upload the prepared packages to pu? And furthermore,
do you agree to push it to wheezy-updates as well?


Please go ahead to Wheezy. I don't think there is a great need to use 
wheezy-updates as well.


Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/5c2ecfeebdc5bb8822c328d68aab2...@hogwarts.powdarrmonkey.net

Processed: Re: Bug#728461: pu: package nagios3/3.4.1-3+deb7u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 + confirmed
Bug #728461 [release.debian.org] pu: package nagios3/3.4.1-3+deb7u1
Added tag(s) confirmed.

-- 
728461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728461
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b728461.138455524216283.transcr...@bugs.debian.org

Bug#728461: pu: package nagios3/3.4.1-3+deb7u1

[Jonas Meurer]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hello,

the nagios3 package in wheezy suffers from at least one minor security
bug and a regression. I prepared nagios3/3.4.1+deb7u1 for wheezy
proposed-updates in order to fix both of them.

Additionally two non-intrusive fixes in the initscript are included: a
typo and another regression.

I consider the fixes for #680615 and #714171 as pretty important. Thus I
suggest to push the pu to wheezy-updates.

So do you agree to upload the prepared packages to pu? And furthermore,
do you agree to push it to wheezy-updates as well?

Below's the changelog, please find the full debdiff attached.

nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low

  * Backport the following changes to wheezy:
  * [cd50049] Add missing check command in initscript (Closes: #680615)
  * [77c9d0e] Fix typo in initscript
  * [a2c78a1] Stop status.cgi from listing unauthorized hosts and
services in servicegroup view (CVE-2013-2214)
Thanks to Jonas Meurer for the report and the patch (Closes: #714171)
  * [51fb59b] Backport upstream r1953 to fix downtime retention across
restarts.
Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356)

 -- Jonas Meurer   Fri, 01 Nov 2013 14:32:18 +0100


Kind regards,
 jonas

diff -u nagios3-3.4.1/debian/changelog nagios3-3.4.1/debian/changelog
--- nagios3-3.4.1/debian/changelog
+++ nagios3-3.4.1/debian/changelog
@@ -1,3 +1,15 @@
+nagios3 (3.4.1-3+deb7u1) wheezy; urgency=low
+
+  * Backport the following changes to wheezy:
+  * [cd50049] Add missing check command in initscript (Closes: #680615)
+  * [77c9d0e] Fix typo in initscript
+  * [a2c78a1] Stop status.cgi from listing unauthorized hosts and services in 
servicegroup view (CVE-2013-2214)
+Thanks to Jonas Meurer for the report and the patch (Closes: #714171)
+  * [51fb59b] Backport upstream r1953 to fix downtime retention across 
restarts.
+Thanks to Didier 'OdyX' Raboud for the patch (Closes: #710356)
+
+ -- Jonas Meurer   Fri, 01 Nov 2013 14:32:18 +0100
+
 nagios3 (3.4.1-3) unstable; urgency=low
 
   * Fix several overflows in getcgi.cgi and history.cgi
diff -u nagios3-3.4.1/debian/nagios3-common.nagios3.init 
nagios3-3.4.1/debian/nagios3-common.nagios3.init
--- nagios3-3.4.1/debian/nagios3-common.nagios3.init
+++ nagios3-3.4.1/debian/nagios3-common.nagios3.init
@@ -126,7 +126,7 @@
 start () {
 
   if [ "$ENABLED" = "no"  ]; then
- log_warning_msg "Not starting Nagios3 - set ENABLED to yes in 
/etc/defrault/nagios3"
+ log_warning_msg "Not starting Nagios3 - set ENABLED to yes in 
/etc/default/nagios3"
  exit 0
   fi
 
@@ -212,6 +212,10 @@
  fi
 }
 
+check() {
+$DAEMON -v $NAGIOSCFG
+}
+
 case "$1" in
   start)
 log_daemon_msg "Starting $DESC" "$NAME"
diff -u nagios3-3.4.1/debian/patches/00list nagios3-3.4.1/debian/patches/00list
--- nagios3-3.4.1/debian/patches/00list
+++ nagios3-3.4.1/debian/patches/00list
@@ -11,0 +12,2 @@
+99_security_status_cgi_servicegroup.dpatch
+999_daemon-downtime-Handle-loading-effective-downtime-fr.dpatch
only in patch2:
unchanged:
--- nagios3-3.4.1.orig/debian/patches/99_security_status_cgi_servicegroup.dpatch
+++ nagios3-3.4.1/debian/patches/99_security_status_cgi_servicegroup.dpatch
@@ -0,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_security_status_cgi_servicegroup.dpatch by Jonas Meurer 
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Stop cgi-bin/status.c from listing unauthorized hosts and
+## DP: services in servicegroup view
+## DP: Upstream bugreport: http://tracker.nagios.org/view.php?id=456
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' 
'--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' 
nagios3-3.4.1~/cgi/status.c nagios3-3.4.1/cgi/status.c
+--- nagios3-3.4.1~/cgi/status.c2012-02-13 21:40:42.0 +0100
 nagios3-3.4.1/cgi/status.c 2013-06-26 16:52:37.668132234 +0200
+@@ -2534,6 +2534,10 @@
+   if(temp_host == NULL)
+   continue;
+ 
++  /* make sure user has rights to view this host */
++  if(is_authorized_for_host(temp_host, ¤t_authdata) == 
FALSE)
++  continue;
++
+   /* skip this if it isn't a new host... */
+   if(temp_host == last_host)
+   continue;
+@@ -2739,6 +2743,10 @@
+   if(temp_host == NULL)
+   continue;
+ 
++  /* make sure user has rights to view this host */
++  if(is_authorized_for_host(temp_host, ¤t_authdata) == 
FALSE)
++  continue;
++
+   /* skip this if it isn't a new host... */
+   if(temp_host == last_host)
+   continue;
+@@ -2918,6 +2926,10 @@
+   if(temp_service == NULL)
+   continue;
+ 
++  /* make sure user has rights to