Candidate: CVE-2016-8641 PublicDate: 2018-08-01 14:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8641 https://www.nagios.org/news/2016/11/nagios-core-4-2-3-released/ Description: A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change. Ubuntu-Description: Notes: tyhicks> Debian packaging provides its own init script Bugs: Priority: low Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH] Patches_nagios3: upstream: https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1 upstream_nagios3: needs-triage precise_nagios3: not-affected (code not present) precise/esm_nagios3: DNE (precise was not-affected [code not present]) trusty_nagios3: not-affected (code not present) trusty/esm_nagios3: DNE (trusty was not-affected [code not present]) vivid/ubuntu-core_nagios3: DNE vivid/stable-phone-overlay_nagios3: DNE xenial_nagios3: not-affected (code not present) esm-infra/xenial_nagios3: not-affected (code not present) yakkety_nagios3: not-affected (code not present) zesty_nagios3: not-affected (code not present) artful_nagios3: not-affected (code not present) bionic_nagios3: not-affected (code not present) cosmic_nagios3: DNE devel_nagios3: DNE Patches_icinga: upstream_icinga: needs-triage precise_icinga: ignored (reached end-of-life) precise/esm_icinga: DNE (precise was needs-triage) trusty_icinga: not-affected trusty/esm_icinga: DNE (trusty was not-affected) vivid/ubuntu-core_icinga: DNE vivid/stable-phone-overlay_icinga: DNE xenial_icinga: not-affected yakkety_icinga: ignored (reached end-of-life) zesty_icinga: ignored (reached end-of-life) artful_icinga: ignored (reached end-of-life) bionic_icinga: not-affected cosmic_icinga: not-affected devel_icinga: not-affected