Re: 01/01: gnu: Add Nagios.
Leo Famulariskribis: > On Wed, Nov 30, 2016 at 10:31:09PM +, Ludovic Court�s wrote: >> civodul pushed a commit to branch master >> in repository guix. >> >> commit d30e578a0011b05d1e7d8b3ba7ee38588eba301c >> Author: Ludovic Courtès >> Date: Wed Nov 30 23:26:57 2016 +0100 >> >> gnu: Add Nagios. >> >> * gnu/packages/monitoring.scm: New file. >> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. > >> +(version "4.0.8") >> +;; XXX: Newer versions such as 4.2.3 bundle a copy of AngularJS. > > This version of Nagios includes some severe security vulnerabilities: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9565 > > They allow remote attackers to read and write arbitrary files (leading > to remote code execution) or to escalate privilege to the superuser. > > What should we do? Updated to 4.2.4 in 7fc2d377d16b5aefacf01e3c9105dc0344a33dbe. Ludo’.
Re: 01/01: gnu: Add Nagios.
Leo Famulariskribis: > On Wed, Nov 30, 2016 at 10:31:09PM +, Ludovic Court�s wrote: >> civodul pushed a commit to branch master >> in repository guix. >> >> commit d30e578a0011b05d1e7d8b3ba7ee38588eba301c >> Author: Ludovic Courtès >> Date: Wed Nov 30 23:26:57 2016 +0100 >> >> gnu: Add Nagios. >> >> * gnu/packages/monitoring.scm: New file. >> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. > >> +(version "4.0.8") >> +;; XXX: Newer versions such as 4.2.3 bundle a copy of AngularJS. > > This version of Nagios includes some severe security vulnerabilities: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9565 > > They allow remote attackers to read and write arbitrary files (leading > to remote code execution) or to escalate privilege to the superuser. > > What should we do? We should upgrade, even if that means bundling AngularJS (there’s no other way :-/). I’ll look into it ASAP. Thanks for the reminder! Ludo’.
Re: 01/01: gnu: Add Nagios.
On Wed, Nov 30, 2016 at 10:31:09PM +, Ludovic Court�s wrote: > civodul pushed a commit to branch master > in repository guix. > > commit d30e578a0011b05d1e7d8b3ba7ee38588eba301c > Author: Ludovic Courtès> Date: Wed Nov 30 23:26:57 2016 +0100 > > gnu: Add Nagios. > > * gnu/packages/monitoring.scm: New file. > * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. > +(version "4.0.8") > +;; XXX: Newer versions such as 4.2.3 bundle a copy of AngularJS. This version of Nagios includes some severe security vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9565 They allow remote attackers to read and write arbitrary files (leading to remote code execution) or to escalate privilege to the superuser. What should we do? signature.asc Description: PGP signature