Candidate: CVE-2008-5027
PublicDate: 2008-11-10 15:23:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027
 https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/301542
 https://ubuntu.com/security/notices/USN-698-1
 https://ubuntu.com/security/notices/USN-698-2
 https://ubuntu.com/security/notices/USN-698-3
Description:
 The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before
 4.0.1 allows remote authenticated users to bypass authorization checks, and
 trigger execution of arbitrary programs by this process, via an (a) custom
 form or a (b) browser addon.
Ubuntu-Description:
Notes:
 mdeslaur> Nagios 1.x doesn't have the CHANGE commands, so authenticated users
           wouldn't be able to trigger arbitrary programs. They could bypass
           authorization checks by submitting commands with linefeeds though.
 mdeslaur> Also see CVE-2008-6373
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_nagios:
 vendor: http://trac.opsview.org/browser/trunk/opsview-base/patches/nagios_cgi_encoded_linefeeds.patch?rev=1653
upstream_nagios: needs-triage
dapper_nagios: released (2:1.3-cvs.20050402-8ubuntu8)
gutsy_nagios: needed (reached end-of-life)
hardy_nagios: DNE
intrepid_nagios: DNE
devel_nagios: DNE

Patches_nagios2:
 vendor: http://trac.opsview.org/browser/trunk/opsview-base/patches/nagios_block_external_change_commands.patch?rev=1653
 vendor: http://trac.opsview.org/browser/trunk/opsview-base/patches/nagios_cgi_encoded_linefeeds.patch?rev=1653
upstream_nagios2: needs-triage
dapper_nagios2: DNE
gutsy_nagios2: needed (reached end-of-life)
hardy_nagios2: released (2.11-1ubuntu1.4)
intrepid_nagios2: DNE
devel_nagios2: DNE

Patches_nagios3:
 upstream: http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=2640b78e17f0c8152933adcbd01a68beee3fa0f3
 upstream: http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=d908473257dc3d3fc8246c5143d4f0a91cbbfe2a
 upstream: http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=4cf2bf46060bcbb88c92cb080e73e6cec84ecddc
 upstream: http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=982b889cbd7a7a930ddb59bad355b1b437073be0 (not necessary?)
upstream_nagios3: released (3.0.5)
dapper_nagios3: DNE
gutsy_nagios3: DNE
hardy_nagios3: DNE
intrepid_nagios3: released (3.0.2-1ubuntu1.1)
devel_nagios3: not-affected (3.0.6-1ubuntu1)