Candidate: CVE-2008-5028
PublicDate: 2008-11-10 15:23:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5028
 https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/301542
 https://ubuntu.com/security/notices/USN-698-2
 https://ubuntu.com/security/notices/USN-698-3
Description:
 Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios
 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send
 commands to the Nagios process, and trigger execution of arbitrary programs
 by this process, via unspecified HTTP requests.
Ubuntu-Description:
Notes:
 mdeslaur> Nagios 1.x doesn't have the CMD_CHANGE commands, so remote attackers
           wouldn't be able to trigger arbitrary programs.
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_nagios:
upstream_nagios: needs-triage
dapper_nagios: not-affected (2:1.3-cvs.20050402-8ubuntu7)
gutsy_nagios: not-affected (2:1.4-3.1ubuntu1)
hardy_nagios: DNE
intrepid_nagios: DNE
devel_nagios: DNE

Patches_nagios2:
upstream_nagios2: needs-triage
dapper_nagios2: DNE
gutsy_nagios2: needed (reached end-of-life)
hardy_nagios2: released (2.11-1ubuntu1.4)
intrepid_nagios2: DNE
devel_nagios2: DNE

Patches_nagios3:
 upstream: http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764 (proposed fix)
 upstream: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110 (temporary patch)
upstream_nagios3: released (3.0.6)
dapper_nagios3: DNE
gutsy_nagios3: DNE
hardy_nagios3: DNE
intrepid_nagios3: released (3.0.2-1ubuntu1.1)
devel_nagios3: not-affected (3.0.6-1ubuntu1)