openSUSE-SU-2021:0715-1: important: Security update for nagios
openSUSE Security Update: Security update for nagios
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0715-1
Rating: important
References: #1003362 #1014637 #1172794 #1182398 #989759
Cross-References: CVE-2016-6209 CVE-2020-13977
CVSS scores:
CVE-2016-6209 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2020-13977 (NVD) : 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CVE-2020-13977 (SUSE): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves two vulnerabilities and has three
fixes is now available.
Description:
This update for nagios fixes the following issues:
- new nagios-exec-start-post script to fix boo#1003362
- fix nagios_upgrade.sh writing to log file in user controlled directory
(boo#1182398). The nagios_upgrade.sh script writes the logfile directly
below /var/log/
nagios was updated to 4.4.6:
* Fixed Map display in Internet Explorer 11 (#714)
* Fixed duplicate properties appearing in statusjson.cgi (#718)
* Fixed NERD not building when enabled in ./configure (#723)
* Fixed build process when using GCC 10 (#721)
* Fixed postauth vulnerabilities in histogram.js, map.js, trends.js
(CVE-2020-13977, boo#1172794)
* When using systemd, configuration will be verified before reloading
(#715)
* Fixed HARD OK states triggering on the maximum check attempt (#757)
* Fix for CVE-2016-6209 (boo#989759) - The "corewindow" parameter (as in
bringing this to our attention go to Dawid Golunski (boo#1014637)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-715=1
Package List:
- openSUSE Leap 15.2 (x86_64):
nagios-4.4.6-lp152.2.3.1
nagios-contrib-4.4.6-lp152.2.3.1
nagios-debuginfo-4.4.6-lp152.2.3.1
nagios-debugsource-4.4.6-lp152.2.3.1
nagios-devel-4.4.6-lp152.2.3.1
nagios-www-4.4.6-lp152.2.3.1
nagios-www-dch-4.4.6-lp152.2.3.1
nagios-www-debuginfo-4.4.6-lp152.2.3.1
- openSUSE Leap 15.2 (noarch):
nagios-theme-exfoliation-4.4.6-lp152.2.3.1
References:
https://www.suse.com/security/cve/CVE-2016-6209.html
https://www.suse.com/security/cve/CVE-2020-13977.html
https://bugzilla.suse.com/1003362
https://bugzilla.suse.com/1014637
https://bugzilla.suse.com/1172794
https://bugzilla.suse.com/1182398
https://bugzilla.suse.com/989759
A nagios security update has been released for openSUSE Leap 15.2.