Candidate: CVE-2012-6096 PublicDate: 2013-01-22 23:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6096 http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html http://www.openwall.com/lists/oss-security/2013/01/08 Description: Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable. Ubuntu-Description: Notes: mdeslaur> debian bug says nagios patch is possibly incomplete mdeslaur> downgrading to "negligible" because of FORTIFY_SOURCE Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697930 (nagios3) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697931 (icinga) Priority: negligible Discovered-by: Assigned-to: CVSS: Patches_nagios3: upstream: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547 vendor: http://www.debian.org/security/2013/dsa-2616 Tags_nagios3: fortify-source upstream_nagios3: released (3.4.1-3) hardy_nagios3: DNE lucid_nagios3: ignored (reached end-of-life) oneiric_nagios3: ignored (reached end-of-life) precise_nagios3: ignored (reached end-of-life) precise/esm_nagios3: DNE (precise was needed) quantal_nagios3: ignored (reached end-of-life) raring_nagios3: not-affected (3.4.1-3) saucy_nagios3: not-affected (3.4.1-3) trusty_nagios3: not-affected (3.4.1-3) trusty/esm_nagios3: DNE (trusty was not-affected [3.4.1-3]) utopic_nagios3: not-affected (3.4.1-3) vivid_nagios3: not-affected (3.4.1-3) vivid/stable-phone-overlay_nagios3: DNE vivid/ubuntu-core_nagios3: DNE wily_nagios3: not-affected (3.4.1-3) xenial_nagios3: not-affected (3.4.1-3) esm-infra/xenial_nagios3: not-affected (3.4.1-3) yakkety_nagios3: not-affected (3.4.1-3) zesty_nagios3: not-affected (3.4.1-3) devel_nagios3: not-affected (3.4.1-3) Patches_icinga: upstream: https://git.icinga.org/?p=icinga-core.git;a=commit;h=46f55574afa934f9e0bce5e9aac7f45530ff0058 vendor: http://www.debian.org/security/2013/dsa-2653 Tags_icinga: fortify-source upstream_icinga: released (1.7.1-5) hardy_icinga: DNE lucid_icinga: DNE oneiric_icinga: ignored (reached end-of-life) precise_icinga: ignored (reached end-of-life) precise/esm_icinga: DNE (precise was needed) quantal_icinga: ignored (reached end-of-life) raring_icinga: not-affected (1.7.1-5) saucy_icinga: not-affected (1.7.1-5) trusty_icinga: not-affected (1.7.1-5) trusty/esm_icinga: DNE (trusty was not-affected [1.7.1-5]) utopic_icinga: not-affected (1.7.1-5) vivid_icinga: not-affected (1.7.1-5) vivid/stable-phone-overlay_icinga: DNE vivid/ubuntu-core_icinga: DNE wily_icinga: not-affected (1.7.1-5) xenial_icinga: not-affected (1.7.1-5) yakkety_icinga: not-affected (1.7.1-5) zesty_icinga: not-affected (1.7.1-5) devel_icinga: not-affected (1.7.1-5)