Restricted contacts can see servers that do not belong to them

Marked this as a security issue as the bug can cause Nagios to leak data to users who should not see it, if that's wasn't the right thing to do please feel free to revert that.

Hi Aaron,
thanks for your report and your detailed pre-analysis.
That helps to make Ubuntu better!

I checked and agree that the patch itself is a rather easy backport.
Yet OTOH I'm as far from a nagios expert as I could be.

So for now I created a "what if" build for the current development release (artful).
The test builds of 3.5.1.dfsg-2.1ubuntu6 are available soon (currently building) at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2741

If you could try if that really fixes the issue on the 3.x series as well as expected that would be great!

Hi Christian,

Thanks for the rapid response!

Had a little trouble with using that PPA in the usual fashion as I'm running Nagios on Xenial and that PPA is for Artful.

That said, I manually downloaded the .deb files for the nagios3-cgi and nagios3-common packages and installed them under Xenial and I can confirm that it does indeed solve the problem.

Is it going to be possible to backport this fix to the official Xenial repos at some point? As Trusty also appears to run Nagios 3.5.1, it's quite likely it will need this patch too.

Hi Aaron,
yeah this will be needed throughout all releases with affected versions.
We can't just pick a few or an upgrade e.g. from Xenial to Yakkety would be a regression.
The first step is to push it to Artful and for that it is fine already.

A backport seems possible, just someone needs the cycles to do so.
I understand you marked it as security which is correct, but not as in needs to be done yesterday.
That said it will compete with the other bugs in the queue to be handled.

If you would want to volunteer to help with that there are a few things to do here.
First of all we need a proper SRU Template [1] at the top of the description - and especially some detailed steps how to test and verify would help the SRU process int this case.
Furthermore we founded the Ubuntu Server Bug Squashing Day [2], and if instead of waiting you always wanted to learn to package such fixes to drive this even more - feel free to catch us there (or at any time in general).

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template
[2]: https://wiki.ubuntu.com/ServerTeam/BugSquashingDay

I ran some extra QA over the fix as I prepared it for Artful and all tests were good, so pushing there to fix the current development release - it should be in artful-proposed soon and auto-close here once (hopefully) migrating cleanly.

From there as I outlined it is about preparing and verifying extra cautiously for the stable release updates - I'll add tasks for this.

Hi Christian, I've added an SRU template to the top of the description, hope this is sufficient?

I've also joined the #ubuntu-server IRC channel (as aaronr) so if there's anything further I can do to help push this fix through just let me know and I'd be happy to do so.

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu6

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu6) artful; urgency=medium

  * debian/patches/ubuntu/Fix-permissions-for-Host-Groups-reports.patch: Fix
    leaking hosts to restricted contacts as in upstream tracker
    http://tracker.nagios.org/view.php?id=619 (LP: #1686768).

 -- Christian Ehrhardt <email address hidden> Fri, 28 Apr 2017 10:00:38 +0200

Hi,
differences I'd expect are down to headers and changelog style but absolutely good enough IMHO and I totally like how actively you participate.
So I was reviewing the patches are actually the same across all versions (they are) and giving it a trial build.
Also I saw on my test runs that all Dep8 tests on all releases seem to be good as well.

That said, sponsoring your work now, thanks for the patches.

Note to myself - related bileto tickets:
https://bileto.ubuntu.com/#/ticket/2765
https://bileto.ubuntu.com/#/ticket/2766

Once the SRU Team approves your contribution the proposed verification on these releases would be the next step you could help a lot.

Hello Aaron, or anyone else affected,

Accepted nagios3 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Aaron, or anyone else affected,

Accepted nagios3 into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Aaron, or anyone else affected,

Accepted nagios3 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Aaron, or anyone else affected,

Accepted nagios3 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios3/3.5.1-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Under xenial, 3.5.1.dfsg-2.1ubuntu1.2 resolves the issue for me.

If it was only tested on xenial then the rest has not been yet tested - switching the tags to show the right state of testing. Someone still needs to perform the testing on zesty, yakkety and trusty.

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu1.2

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu1.2) xenial; urgency=medium

  * debian/patches/fix_permissions_for_hostgroups_reports.patch: Fix
    permissions for hostgroups reports. Thanks to John C. Frickson
    <email address hidden>. Closes LP: #1686768.

 -- <email address hidden> (Aaron B. Russell) Wed, 10 May 2017 22:43:53 +0100

This bug was fixed in the package nagios3 - 3.5.1.dfsg-2.1ubuntu3.3

---------------
nagios3 (3.5.1.dfsg-2.1ubuntu3.3) yakkety-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:32:05 -0400

This bug was fixed in the package nagios3 - 3.5.1-1ubuntu1.3

---------------
nagios3 (3.5.1-1ubuntu1.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: event log cannot open log file (LP: #1690380)
    - debian/patches/CVE-2016-9566-regression.patch: relax permissions on
      log files in base/logging.c.
    - debian/nagios3-common.postinst: fix permissions on existing log file.

 -- Marc Deslauriers <email address hidden> Tue, 06 Jun 2017 07:33:27 -0400