Mailinglist Archive: opensuse-commit (1029 mails)
| < Previous | Next > |
commit nagios for openSUSE:11.3
- From: root@xxxxxxxxxxxxxxx (h_root)
- Date: Wed, 06 Jul 2011 18:32:22 +0200
- Message-id: <20110706163222.6F0152029A@hilbert.suse.de>
Hello community,
here is the log from the commit of package nagios for openSUSE:11.3
checked in at Wed Jul 6 18:32:22 CEST 2011.
--------
--- old-versions/11.3/all/nagios/nagios.changes 2010-05-11 23:45:17.000000000
+0200
+++ 11.3/nagios/nagios.changes 2011-07-02 11:34:49.000000000 +0200
@@ -1,0 +2,7 @@
+Sat Jul 2 09:33:15 UTC 2011 - lars@xxxxxxxxxxxxxxxxxxxx
+
+- add nagios-3.2.1-CVE-2011-1523.patch to fix
+ CVE-2011-1523 (bnc#682966)
+- rebased nagios-p1.pl-location.patch
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback
old-versions/11.3/all/nagios
Destination is old-versions/11.3/UPDATES/all/nagios
calling whatdependson for 11.3-i586
New:
----
nagios-3.2.1-CVE-2011-1523.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nagios.spec ++++++
--- /var/tmp/diff_new_pack.8UX8vA/_old 2011-07-06 18:31:53.000000000 +0200
+++ /var/tmp/diff_new_pack.8UX8vA/_new 2011-07-06 18:31:53.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package nagios (Version 3.2.1)
+# spec file for package nagios
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
Name: nagios
Version: 3.2.1
-Release: 3
+Release: 4.<RELEASE2>
Summary: The Nagios Network Monitor
Url: http://www.nagios.org/
Group: System/Monitoring
@@ -49,6 +49,8 @@
Patch3: nagios-fix_encoding_trends.cgi.patch
# PATCH-FIX-UPSTREAM Fixes handling of forced checks
Patch4: nagios-fix_forced_servicechecks.patch
+# PATCH-FIX-UPSTREAM Fixes CVE-2011-1523
+Patch5: nagios-3.2.1-CVE-2011-1523.patch
# PATCH-FIX-OPENSUSE openSUSE uses a special location for p1.pl
Patch10: nagios-p1.pl-location.patch
BuildRequires: apache2-devel
@@ -158,6 +160,7 @@
%patch2 -p0
%patch3 -p0
%patch4 -p0
+%patch5 -p0
%patch10
find -name ".cvsignore" | xargs rm
find -name ".gitignore" | xargs rm
@@ -292,6 +295,9 @@
%fdupes -s %{buildroot}
%endif
+%check
+make test-perl
+
%clean
%{__rm} -rf %{buildroot}
++++++ nagios-3.2.1-CVE-2011-1523.patch ++++++
Index: cgi/statusmap.c
===================================================================
--- cgi/statusmap.c.orig
+++ cgi/statusmap.c
@@ -2404,7 +2404,7 @@ void print_layer_url(int get_method){
for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){
if(get_method==TRUE)
- printf("&layer=%s",temp_layer->layer_name);
+
printf("&layer=%s",escape_string(temp_layer->layer_name));
else
printf("<input type='hidden' name='layer'
value='%s'>\n",escape_string(temp_layer->layer_name));
}
Index: t/618cgisecurity.t
===================================================================
--- /dev/null
+++ t/618cgisecurity.t
@@ -0,0 +1,23 @@
+#!/usr/bin/perl
+#
+# Check that you CGI security errors are fixed
+
+use warnings;
+use strict;
+use Test::More;
+use FindBin qw($Bin);
+
+chdir $Bin or die "Cannot chdir";
+
+my $topdir = "$Bin/..";
+my $cgi_dir = "$topdir/cgi";
+
+plan 'no_plan';
+
+my $output = `NAGIOS_CGI_CONFIG=etc/cgi.cfg REQUEST_METHOD=GET
QUERY_STRING="layer=' style=xss:expression(alert('XSS')) '"
$cgi_dir/statusmap.cgi`;
+unlike( $output, qr/' style=xss:expression\(alert\('XSS'\)\) '/, "XSS
injection not passed straight through" );
+like( $output, qr/'
style=xss:expression(alert('XSS')) '/,
"Expected escaping of quotes" ) || diag $output;
+
+
+$output = `REMOTE_USER=nagiosadmin NAGIOS_CGI_CONFIG=etc/cgi.cfg
REQUEST_METHOD=GET QUERY_STRING="type=command&expand=<body onload=alert(666)>"
$cgi_dir/config.cgi`;
+unlike( $output, qr/<body onload=alert\(666\)>/, "XSS injection not passed
through" ) || diag ($output);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx
| < Previous | Next > |