← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

 

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu3.3

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu3.3) yakkety-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Tue, 06 Jun 2017
07:32:05 -0400

** Changed in: nagios3 (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9566

** Changed in: nagios3 (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

Status in nagios3 package in Ubuntu:
  Fix Released
Status in nagios3 source package in Trusty:
  Fix Released
Status in nagios3 source package in Xenial:
  Fix Released
Status in nagios3 source package in Yakkety:
  Fix Released
Status in nagios3 source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

   * It is possible for users to see information about servers that they
  have not been given permission to see

   * A fix should be backported because this is a security problem and
  causes Nagios to leak data

   * The patch introduces the proper checks on hostgroup permissions as
  per Nagios 4.2.2

  [Test Case]

   * Configure Nagios to monitor multiple servers
   * Create a second contact called "jbloggs" (in /etc/nagios/conf.d/contacts_nagios2.cfg)
   * Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/conf.d/contacts_nagios2.cfg)
   * Set the contact_groups property for one of the servers to be "admins,oneserver"
   * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user
   * Login to Nagios as "jbloggs"
   * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below)

  [Regression Potential]

   * It's possible that this may create other issues when viewing
  hostgroups in the Nagios web interface although I have not seen any
  such issues, and this fix was deemed to be acceptable by the Nagios
  core team in Nagios 4.2.2 (tracker link below) so I think the chances
  of any issues are very low.

  [Other Info]
   
   * This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in
   * This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version

  [Original Description]

  There is a problem with the hostgroups reports that allows restricted
  contacts to see servers that do not belong to them provided they are
  in the same hostgroup.

  This issue was reported to the Nagios project in 2013 here (with
  screenshots, sample configs, etc):
  https://support.nagios.com/forum/viewtopic.php?f=7&t=21794

  It was fixed in Nagios 4.2.2 here:
  https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1
  #diff-b89a219dd5a0ac3e4e07f1dfd721dd78

  This problem exists in Nagios 3.5.x that did not exist under 3.2.x,
  however it seems likely that the fix in 4.2.2 could be backported to
  Nagios 3.5.x.

  lsb_release -rd output:
  Description:	Ubuntu 16.04.2 LTS
  Release:	16.04

  apt-cache policy nagios3 nagios3-cgi output:
  nagios3:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       3.5.1.dfsg-2.1ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  nagios3-cgi:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       3.5.1.dfsg-2.1ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions