2017-04-27 15:41:08 |
Aaron B. Russell |
bug |
|
|
added bug |
2017-04-27 15:41:59 |
Aaron B. Russell |
information type |
Public |
Public Security |
|
2017-04-28 08:09:49 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
2017-04-28 08:09:58 |
Christian Ehrhardt |
nagios3 (Ubuntu): status |
New |
Triaged |
|
2017-04-28 08:10:06 |
Christian Ehrhardt |
nagios3 (Ubuntu): importance |
Undecided |
Medium |
|
2017-04-28 08:10:26 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
2017-04-28 08:10:39 |
Christian Ehrhardt |
tags |
|
server-next |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Trusty |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
bug task added |
|
nagios3 (Ubuntu Trusty) |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Zesty |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
bug task added |
|
nagios3 (Ubuntu Zesty) |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Xenial |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
bug task added |
|
nagios3 (Ubuntu Xenial) |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Yakkety |
|
2017-05-02 06:55:58 |
Christian Ehrhardt |
bug task added |
|
nagios3 (Ubuntu Yakkety) |
|
2017-05-02 06:56:06 |
Christian Ehrhardt |
nagios3 (Ubuntu): status |
Triaged |
Fix Committed |
|
2017-05-02 06:56:09 |
Christian Ehrhardt |
nagios3 (Ubuntu Trusty): status |
New |
Triaged |
|
2017-05-02 06:56:11 |
Christian Ehrhardt |
nagios3 (Ubuntu Xenial): status |
New |
Triaged |
|
2017-05-02 06:56:13 |
Christian Ehrhardt |
nagios3 (Ubuntu Yakkety): status |
New |
Triaged |
|
2017-05-02 06:56:15 |
Christian Ehrhardt |
nagios3 (Ubuntu Zesty): status |
New |
Triaged |
|
2017-05-02 06:56:16 |
Christian Ehrhardt |
nagios3 (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2017-05-02 06:56:18 |
Christian Ehrhardt |
nagios3 (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-05-02 06:56:20 |
Christian Ehrhardt |
nagios3 (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
2017-05-02 06:56:21 |
Christian Ehrhardt |
nagios3 (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-05-02 12:57:53 |
Aaron B. Russell |
description |
There is a problem with the hostgroups reports that allows restricted contacts to see servers that do not belong to them provided they are in the same hostgroup.
This issue was reported to the Nagios project in 2013 here (with screenshots, sample configs, etc): https://support.nagios.com/forum/viewtopic.php?f=7&t=21794
It was fixed in Nagios 4.2.2 here: https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1#diff-b89a219dd5a0ac3e4e07f1dfd721dd78
This problem exists in Nagios 3.5.x that did not exist under 3.2.x, however it seems likely that the fix in 4.2.2 could be backported to Nagios 3.5.x.
lsb_release -rd output:
Description: Ubuntu 16.04.2 LTS
Release: 16.04
apt-cache policy nagios3 nagios3-cgi output:
nagios3:
Installed: 3.5.1.dfsg-2.1ubuntu1.1
Candidate: 3.5.1.dfsg-2.1ubuntu1.1
Version table:
*** 3.5.1.dfsg-2.1ubuntu1.1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
3.5.1.dfsg-2.1ubuntu1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
nagios3-cgi:
Installed: 3.5.1.dfsg-2.1ubuntu1.1
Candidate: 3.5.1.dfsg-2.1ubuntu1.1
Version table:
*** 3.5.1.dfsg-2.1ubuntu1.1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
3.5.1.dfsg-2.1ubuntu1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages |
[Impact]
* It is possible for users to see information about servers that they have not been given permission to see
* A fix should be backported because this is a security problem and causes Nagios to leak data
* The patch introduces the proper checks on hostgroup permissions as per Nagios 4.2.2
[Test Case]
* Configure Nagios to monitor multiple servers
* Create a second contact called "jbloggs" (in /etc/nagios/conf.d/contacts_nagios2.cfg)
* Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/conf.d/contacts_nagios2.cfg)
* Set the contact_groups property for one of the servers to be "admins,oneserver"
* Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user
* Login to Nagios as "jbloggs"
* On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below)
[Regression Potential]
* It's possible that this may create other issues when viewing hostgroups in the Nagios web interface although I have not seen any such issues, and this fix was deemed to be acceptable by the Nagios core team in Nagios 4.2.2 (tracker link below) so I think the chances of any issues are very low.
[Other Info]
* This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in
* This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version
[Original Description]
There is a problem with the hostgroups reports that allows restricted contacts to see servers that do not belong to them provided they are in the same hostgroup.
This issue was reported to the Nagios project in 2013 here (with screenshots, sample configs, etc): https://support.nagios.com/forum/viewtopic.php?f=7&t=21794
It was fixed in Nagios 4.2.2 here: https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1#diff-b89a219dd5a0ac3e4e07f1dfd721dd78
This problem exists in Nagios 3.5.x that did not exist under 3.2.x, however it seems likely that the fix in 4.2.2 could be backported to Nagios 3.5.x.
lsb_release -rd output:
Description: Ubuntu 16.04.2 LTS
Release: 16.04
apt-cache policy nagios3 nagios3-cgi output:
nagios3:
Installed: 3.5.1.dfsg-2.1ubuntu1.1
Candidate: 3.5.1.dfsg-2.1ubuntu1.1
Version table:
*** 3.5.1.dfsg-2.1ubuntu1.1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
3.5.1.dfsg-2.1ubuntu1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
nagios3-cgi:
Installed: 3.5.1.dfsg-2.1ubuntu1.1
Candidate: 3.5.1.dfsg-2.1ubuntu1.1
Version table:
*** 3.5.1.dfsg-2.1ubuntu1.1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
3.5.1.dfsg-2.1ubuntu1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages |
|
2017-05-02 17:09:05 |
Launchpad Janitor |
nagios3 (Ubuntu): status |
Fix Committed |
Fix Released |
|
2017-05-02 17:09:05 |
Launchpad Janitor |
bug watch added |
|
http://tracker.nagios.org/view.php?id=619 |
|
2017-05-10 22:20:39 |
Aaron B. Russell |
attachment added |
|
Patch for Xenial https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4874912/+files/nagios-fix-xenial.debdiff |
|
2017-05-12 16:29:11 |
Aaron B. Russell |
attachment added |
|
Patch for Trusty https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875695/+files/nagios-fix-trusty.debdiff |
|
2017-05-12 16:29:21 |
Aaron B. Russell |
attachment added |
|
Patch for Yakkety https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875696/+files/nagios-fix-yakkety.debdiff |
|
2017-05-12 16:29:29 |
Aaron B. Russell |
attachment added |
|
Patch for Zesty https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+attachment/4875697/+files/nagios-fix-zesty.debdiff |
|
2017-05-12 17:02:00 |
Aaron B. Russell |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2017-05-15 17:28:54 |
Christian Ehrhardt |
nagios3 (Ubuntu Trusty): status |
Triaged |
Fix Committed |
|
2017-05-15 17:28:55 |
Christian Ehrhardt |
nagios3 (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
2017-05-15 17:28:57 |
Christian Ehrhardt |
nagios3 (Ubuntu Yakkety): status |
Triaged |
Fix Committed |
|
2017-05-15 17:28:58 |
Christian Ehrhardt |
nagios3 (Ubuntu Zesty): status |
Triaged |
Fix Committed |
|
2017-05-22 14:45:29 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-05-22 14:45:33 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2017-05-22 14:45:36 |
Łukasz Zemczak |
tags |
server-next |
server-next verification-needed |
|
2017-05-22 14:49:37 |
Łukasz Zemczak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2017-05-22 18:50:50 |
Aaron B. Russell |
tags |
server-next verification-needed |
server-next verification-done |
|
2017-06-01 14:03:49 |
Łukasz Zemczak |
tags |
server-next verification-done |
server-next verification-done-xenial verification-needed |
|
2017-06-01 20:26:53 |
Launchpad Janitor |
nagios3 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-06-07 16:55:59 |
Launchpad Janitor |
nagios3 (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2017-06-07 16:55:59 |
Launchpad Janitor |
cve linked |
|
2016-9566 |
|
2017-06-07 16:56:03 |
Launchpad Janitor |
nagios3 (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2017-06-08 11:09:51 |
Marc Deslauriers |
nagios3 (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|