Skip to navigation

Security Advisory Moderate: nagios security update

Advisory: RHSA-2013:1526-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-11-18
Last updated on: 2013-11-18
Affected Products: Red Hat OpenStack 3.0
CVEs (cve.mitre.org): CVE-2013-2029
CVE-2013-4214

Details

Updated nagios packages that fix two security issues are now available
for Red Hat OpenStack 3.0.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Nagios is a program that can monitor hosts and services on your network. It
can send email or page alerts when problems arise and when problems are
resolved.

Multiple insecure temporary file creation flaws were found in Nagios.
A local attacker could use these flaws to cause arbitrary files to be
overwritten as the root user via a symbolic link attack. (CVE-2013-2029,
CVE-2013-4214)

These issues were discovered by Grant Murphy of the Red Hat Product
Security Team.

All users of Nagios are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat OpenStack 3.0

SRPMS:
nagios-3.5.1-2.el6ost.src.rpm     MD5: a72a259bc6090a4276327e83588271be
SHA-256: 025eb4936dd6d518a56d09c0999f033882a970d2e3795e848ec2afeca0d373ce
 
x86_64:
nagios-3.5.1-2.el6ost.x86_64.rpm     MD5: 8d84a84c940e6794cf76aea318a0c697
SHA-256: 2e643d4609e4bab62f5a15077934671d022c8821cecbbeb3fd8da0460a4a886f
nagios-common-3.5.1-2.el6ost.x86_64.rpm     MD5: 313a06115d2d6df96bdc1adfddddc53b
SHA-256: 4817db9b4cb71b06fa69aaca5ebc4d1dd183b27c3e539ed9cfc48564efc26fcf
nagios-debuginfo-3.5.1-2.el6ost.x86_64.rpm     MD5: 67ab619807294fb59028bb296057595c
SHA-256: ab29294a96c8335ba7e628366b908b428f25d6ec2f1944bae82b18c40e79afe0
nagios-devel-3.5.1-2.el6ost.x86_64.rpm     MD5: 439494ee8cdcab9c5e63e54cba596ecf
SHA-256: 1df96ff0b5bf16fae67491b87dda189bb3a43d42e508f5bfc100fdfca0221b7a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

958002 - CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage
958015 - CVE-2013-2029 Nagios core: Insecure temporary file usage in nagios.upgrade_to_v3.sh


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/