Debian Security Advisory
DLA-751-1 nagios3 -- LTS security update
- Date Reported:
- 17 Dec 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-9565, CVE-2016-9566.
- More information:
Nagios was found to be vulnerable to two security issues that, when combined, lead to a remote root code execution vulnerability. Fortunately, the hardened permissions of the Debian package limit the effect of those to information disclosure, but privilege escalation to root is still possible locally.
Improper sanitization of RSS feed input enables unauthenticated remote read and write of arbitrary files which may lead to remote code execution if the web root is writable.
Unsafe logfile handling allows unprivileged users to escalate their privileges to root. In wheezy, this is possible only through the debug logfile which is disabled by default.
For Debian 7
Wheezy, these problems have been fixed in version 3.4.1-3+deb7u3.
We recommend that you upgrade your nagios3 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS