A nagios security update has been released for SUSE Linux Enterprise 15 SP2.

openSUSE-SU-2021:0735-1: important: Security update for nagios

openSUSE Security Update: Security update for nagios
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0735-1
Rating: important
References: #1003362 #1014637 #1172794 #1182398 #989759

Cross-References: CVE-2016-6209 CVE-2020-13977
CVSS scores:
CVE-2016-6209 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2020-13977 (NVD) : 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CVE-2020-13977 (SUSE): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Affected Products:
openSUSE Backports SLE-15-SP2
______________________________________________________________________________

An update that solves two vulnerabilities and has three
fixes is now available.

Description:

This update for nagios fixes the following issues:

- new nagios-exec-start-post script to fix boo#1003362

- fix nagios_upgrade.sh writing to log file in user controlled directory
(boo#1182398). The nagios_upgrade.sh script writes the logfile directly
below /var/log/

nagios was updated to 4.4.6:

* Fixed Map display in Internet Explorer 11 (#714)
* Fixed duplicate properties appearing in statusjson.cgi (#718)
* Fixed NERD not building when enabled in ./configure (#723)
* Fixed build process when using GCC 10 (#721)
* Fixed postauth vulnerabilities in histogram.js, map.js, trends.js
(CVE-2020-13977, boo#1172794)
* When using systemd, configuration will be verified before reloading
(#715)
* Fixed HARD OK states triggering on the maximum check attempt (#757)

* Fix for CVE-2016-6209 (boo#989759) - The "corewindow" parameter (as in
bringing this to our attention go to Dawid Golunski (boo#1014637)

This update was imported from the openSUSE:Leap:15.2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP2:

zypper in -t patch openSUSE-2021-735=1


Package List:

- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

nagios-4.4.6-bp152.2.3.1
nagios-contrib-4.4.6-bp152.2.3.1
nagios-devel-4.4.6-bp152.2.3.1
nagios-www-4.4.6-bp152.2.3.1
nagios-www-dch-4.4.6-bp152.2.3.1

- openSUSE Backports SLE-15-SP2 (noarch):

nagios-theme-exfoliation-4.4.6-bp152.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2016-6209.html
  https://www.suse.com/security/cve/CVE-2020-13977.html
  https://bugzilla.suse.com/1003362
  https://bugzilla.suse.com/1014637
  https://bugzilla.suse.com/1172794
  https://bugzilla.suse.com/1182398
  https://bugzilla.suse.com/989759