CVE-2013-7108 (retired)

Priority
Description
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote
authenticated users to obtain sensitive information from process memory or
cause a denial of service (crash) via a long string in the last key value
in the variable list to the process_cgivars function in (1) avail.c, (2)
cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c,
(7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11)
trends.c in cgi/, which triggers a heap-based buffer over-read.
Package
Upstream:released (1.10.2-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1.10.2-1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1.10.2-1)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):released (3.5.1-1ubuntu1.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.1.dfsg-2.1ubuntu1.1)
Patches:
Upstream:http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
Upstream:https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)
More Information

Updated: 2019-03-26 12:11:34 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)