Hello community, here is the log from the commit of package nagios for openSUSE:Factory checked in at Fri Jul 8 15:48:35 CEST 2011. -------- --- nagios/nagios.changes 2010-10-06 22:25:41.000000000 +0200 +++ /mounts/work_src_done/STABLE/nagios/nagios.changes 2011-07-08 13:42:00.000000000 +0200 @@ -1,0 +2,27 @@ +Fri Jul 8 11:35:37 UTC 2011 - lars@linux-schulserver.de + +- removed setuid bit from /var/spool/nagios - configure the + right permissions on service start instead +- use the right STDERR in the cron script +- cleanup files section + +------------------------------------------------------------------- +Tue Jul 5 14:57:40 UTC 2011 - lars@linux-schulserver.de + +- integrated cron script from Daniel Kozar (bnc#701208) + +------------------------------------------------------------------- +Mon Jul 4 17:03:22 UTC 2011 - lars@linux-schulserver.de + +- fixes in init script if check_external_commands are enabled +- added nagios-3.2.3-CVE-2011-1523.patch to fix + CVE-2011-1523 (bnc#682966) + +------------------------------------------------------------------- +Sun Mar 13 16:21:14 UTC 2011 - lars@linux-schulserver.de + +- install /var/spool/nagios with setgroup bit set, so all new files + in this directory belong to the command group (maybe we should + use a permissions file for this?) + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- nagios-3.2.3-CVE-2011-1523.patch nagios-htpasswd.users ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nagios.spec ++++++ --- /var/tmp/diff_new_pack.hRVFoM/_old 2011-07-08 15:46:21.000000000 +0200 +++ /var/tmp/diff_new_pack.hRVFoM/_new 2011-07-08 15:46:21.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package nagios (Version 3.2.3) +# spec file for package nagios # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %define nnmmsg logger -t %{name}/rpm Summary: The Nagios Network Monitor Version: 3.2.3 -Release: 1 +Release: 5 License: GPLv2+ Group: System/Monitoring Url: http://www.nagios.org/ @@ -40,6 +40,7 @@ Source4: suse.de-nagios Source5: nagios.8 Source6: nagiosstats.8 +Source7: nagios-htpasswd.users # Source10: %{name}-README.SuSE # PATCH-FIX-UPSTREAM fix for missing expression in return statement bnc#395203 @@ -56,7 +57,8 @@ Patch10: nagios-p1.pl-location.patch # PATCH-FIX-OPENSUSE disable Nagios online update checks for distributed packages Patch11: nagios-disable_phone_home.patch -# +# PATCH-FIX-UPSTREAM fix CVE-2011-1523 +Patch12: nagios-3.2.3-CVE-2011-1523.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq PreReq: %insserv_prereq @@ -186,6 +188,7 @@ %patch7 -p0 %patch10 -p0 %patch11 -p0 +%patch12 -p0 find -name ".cvsignore" | xargs rm find -name ".gitignore" | xargs rm # fix p1.pl pathname of mini_epn @@ -222,7 +225,7 @@ --enable-event-broker \ --enable-embedded-perl # -# %bindir/p1.pl is not a good place for a perl-_module_! +# /usr/bin/p1.pl is not a good place for a perl-_module_! # sed -i 's#@p1pldir@#%{_prefix}/lib/nagios#g' Makefile include/locations.h sample-config/nagios.cfg # @@ -269,6 +272,7 @@ # install event handlers %{__install} -d -m0755 %{buildroot}%{_prefix}/lib/%{name}/plugins/eventhandlers/ %{__cp} -afpv contrib/eventhandlers/* %{buildroot}%{_prefix}/lib/%{name}/plugins/eventhandlers/ +find %{buildroot}%{_prefix}/lib/%{name}/plugins/eventhandlers/ -type f -exec chmod +x {} ; # install directory for event brokers like ndoutils %{__install} -d -m0755 %{buildroot}%{_prefix}/lib/%{name}/brokers # install headers for development package @@ -302,9 +306,10 @@ # sysconfig script %{__install} -D -m 0644 %{S:3} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} # install cronjob (gzip' the logfiles) -%{__install} -D -m 0640 %{S:4} %{buildroot}%{_sysconfdir}/cron.weekly/%{name} +%{__install} -D -m 0755 %{S:4} %{buildroot}%{_sysconfdir}/cron.weekly/%{name} +# install htpasswd file +%{__install} -m 0640 %{S:7} %{buildroot}%{_sysconfdir}/%{name}/htpasswd.users # important ghost files -touch %{buildroot}%{_sysconfdir}/%{name}/htpasswd.users touch %{buildroot}%{_localstatedir}/lib/%{name}/retention.dat touch %{buildroot}%{_localstatedir}/lib/%{name}/status.dat touch %{buildroot}%{_localstatedir}/log/%{name}/config.err @@ -314,7 +319,7 @@ install -Dm644 %{S:6} %{buildroot}%{_mandir}/man8/nagiosstats.8 # some rpmlint stuff %if 0%{?suse_version} > 1020 -%fdupes -s %{buildroot} +%fdupes -s %{buildroot}%{_datadir} %endif %clean @@ -450,12 +455,23 @@ fi # if apache user is not in cmdgrp, add it if id -Gn $wwwusr 2>/dev/null | grep -q %{cmdgrp} >/dev/null 2>&1 ; then - : # $wwwusr (default: %cmdusr) is already in nagiocmd group + : # $wwwusr (default: %cmdusr) is already in Nagios cmd group else # modify apache user, adding it to cmdgrp groupmod -A $wwwusr %{cmdgrp} 2>/dev/null %nnmmsg "User $wwwusr added to group %{cmdgrp} so sending commands to Nagios from the CGI is possible." fi +# Update ? +if [ ${1:-0} -eq 1 ]; then + if [ -x %{_sbindir}/a2enmod ]; then + # enable authentification in apache config + %{_sbindir}/a2enmod authn_file >/dev/null + %{_sbindir}/a2enmod auth_basic >/dev/null + %{_sbindir}/a2enmod authz_user >/dev/null + # enable php5 in apache config + %{_sbindir}/a2enmod php5 + fi +fi %restart_on_update apache2 %preun www @@ -467,14 +483,12 @@ %{_mandir}/man8/%{name}* %_sysconfdir/init.d/%name %ghost %config(missingok,noreplace) /var/log/%name/config.err -%config(noreplace) %_sysconfdir/%name/resource.cfg -%config(noreplace) %_sysconfdir/%name/cgi.cfg -%config(noreplace) %_sysconfdir/%name/%{name}.cfg +%config(noreplace) %_sysconfdir/%name/*.cfg %config(noreplace) %_sysconfdir/%name/objects/*.cfg %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} -%defattr(755,root,root) %{_sysconfdir}/cron.weekly/* %{_prefix}/lib/%name/ +%attr(0755,root,root) %{_prefix}/lib/%name/p1.pl %exclude %{_prefix}/lib/%name/cgi/* %{_sbindir}/convertcfg %{_sbindir}/mini_epn @@ -484,7 +498,7 @@ %defattr(-,%{nsusr},%{cmdgrp}) %dir %_sysconfdir/%name %dir %_sysconfdir/%name/objects -%dir /var/spool/%name +%dir /var/spool/%{name} # defattr change %defattr(-,%{nsusr},%nsgrp) %dir /var/lib/%name @@ -504,7 +518,7 @@ %defattr(-,root,root) %{_datadir}/%{name}/ %config(noreplace) %{apache2_sysconfdir}/%{name}.conf -%attr(0640,root,%cmdgrp) %ghost %config(missingok,noreplace) %{_sysconfdir}/%{name}/htpasswd.users +%attr(0640,root,%cmdgrp) %config(missingok,noreplace) %{_sysconfdir}/%{name}/htpasswd.users %files devel %defattr(-,root,root) ++++++ nagios-3.2.3-CVE-2011-1523.patch ++++++ Index: cgi/config.c =================================================================== --- cgi/config.c.orig +++ cgi/config.c @@ -2275,9 +2275,9 @@ void display_command_expansion(void){ if ((*to_expand)!='\0'){ arg_count[0]=0; - printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",command_args[0]); + printf("<TR CLASS='dataEven'><TD CLASS='dataEven'>To expand:</TD><TD CLASS='dataEven'>%s",escape_string(command_args[0])); for (i=1;(i<MAX_COMMAND_ARGUMENTS)&&command_args[i];i++) - printf("!<FONT\n COLOR='%s'>%s</FONT>",hash_color(i),command_args[i]); + printf("!<FONT\n COLOR='%s'>%s</FONT>",hash_color(i),escape_string(command_args[i])); printf("\n</TD></TR>\n"); /* check all commands */ Index: cgi/statusmap.c =================================================================== --- cgi/statusmap.c.orig +++ cgi/statusmap.c @@ -2404,7 +2404,7 @@ void print_layer_url(int get_method){ for(temp_layer=layer_list;temp_layer!=NULL;temp_layer=temp_layer->next){ if(get_method==TRUE) - printf("&layer=%s",temp_layer->layer_name); + printf("&layer=%s",escape_string(temp_layer->layer_name)); else printf("<input type='hidden' name='layer' value='%s'>\n",escape_string(temp_layer->layer_name)); } Index: t/618cgisecurity.t =================================================================== --- /dev/null +++ t/618cgisecurity.t @@ -0,0 +1,23 @@ +#!/usr/bin/perl +# +# Check that you CGI security errors are fixed + +use warnings; +use strict; +use Test::More; +use FindBin qw($Bin); + +chdir $Bin or die "Cannot chdir"; + +my $topdir = "$Bin/.."; +my $cgi_dir = "$topdir/cgi"; + +plan 'no_plan'; + +my $output = `NAGIOS_CGI_CONFIG=etc/cgi.cfg REQUEST_METHOD=GET QUERY_STRING="layer=' style=xss:expression(alert('XSS')) '" $cgi_dir/statusmap.cgi`; +unlike( $output, qr/' style=xss:expression(alert('XSS')) '/, "XSS injection not passed straight through" ); +like( $output, qr/' style=xss:expression(alert('XSS')) '/, "Expected escaping of quotes" ) || diag $output; + + +$output = `REMOTE_USER=nagiosadmin NAGIOS_CGI_CONFIG=etc/cgi.cfg REQUEST_METHOD=GET QUERY_STRING="type=command&expand=<body onload=alert(666)>" $cgi_dir/config.cgi`; +unlike( $output, qr/<body onload=alert\(666\)>/, "XSS injection not passed through" ) || diag ($output); ++++++ nagios-htpasswd.users ++++++ nagiosadmin:OIEGHgNTsb3HQ ++++++ nagios.sysconfig ++++++ --- /var/tmp/diff_new_pack.hRVFoM/_old 2011-07-08 15:46:21.000000000 +0200 +++ /var/tmp/diff_new_pack.hRVFoM/_new 2011-07-08 15:46:21.000000000 +0200 @@ -4,8 +4,10 @@ ## Type: integer ## Default: 10 # -# Timeout during server shutdown (seconds) +# Timeout during server shutdown (seconds) and start. # The start script kills Nagios after this timeout in double-seconds with SIGTERM +# If you enabled external commands, the start script also waits for this +# time and tries to setup the system so external commands can be executed. # # Increase it, if you use nagios in an big environment (>100 monitoring hosts)! # ++++++ rcnagios ++++++ --- /var/tmp/diff_new_pack.hRVFoM/_old 2011-07-08 15:46:21.000000000 +0200 +++ /var/tmp/diff_new_pack.hRVFoM/_new 2011-07-08 15:46:21.000000000 +0200 @@ -155,6 +155,7 @@ resource_file="$(get_var resource_file)" object_cache_file="$(get_var object_cache_file)" check_result_path="$(get_var check_result_path)" +check_external_commands="$(get_var check_external_commands)" # # use default values if above check doesn't work @@ -167,6 +168,7 @@ : ${log_file:=/var/log/nagios/nagios.log} : ${state_retention_file:=/var/log/nagios/retention.dat} : ${status_file:=/var/log/nagios/status.dat} +: ${check_external_commands:=0} # files to remove : ${command_file:=/var/spool/nagios/nagios.cmd} : ${lock_file:=/var/run/nagios/nagios.pid} @@ -192,6 +194,14 @@ check_files check_lock_file startproc $NICELEVEL -p "$lock_file" "$NAGIOS_BIN" -d "$NAGIOS_CFG" + if [ "$check_external_commands" != 0 ]; then + while [ ! -e "$command_file" ] && [ $NAGIOS_TIMEOUT -gt 0 ]; do + sleep 1 + NAGIOS_TIMEOUT=$[$NAGIOS_TIMEOUT-1] + done + chgrp $nagios_cmdgrp "$command_file" + chown $nagios_user:$nagios_cmdgrp "$check_result_path" + fi else echo "Error in configuration - please read $NAGIOS_CFG_ERR_LOG" rc_failed ++++++ suse.de-nagios ++++++ --- /var/tmp/diff_new_pack.hRVFoM/_old 2011-07-08 15:46:21.000000000 +0200 +++ /var/tmp/diff_new_pack.hRVFoM/_new 2011-07-08 15:46:21.000000000 +0200 @@ -1,21 +1,19 @@ -#!/bin/sh +#!/usr/bin/env bash # # Compress old nagios logfiles in /var/log/nagios/archives/ # once a week, if sysconfig variable is set to true # -if [ -r /etc/sysconfig/nagios ]; then +if [[ -r /etc/sysconfig/nagios ]]; then . /etc/sysconfig/nagios else - echo "/etc/sysconfig/nagios not found or not readable." + echo "/etc/sysconfig/nagios not found or not readable." >&2 exit 1 fi -if [ x"$NAGIOS_COMPRESS_LOGFILES" = x"true" ]; then - LOGS=$(echo /var/log/nagios/archives/*.log) - for f in $LOGS ; do - if [ -e $f ] ; then - /usr/bin/bzip2 /var/log/nagios/archives/*.log - break +if [[ $NAGIOS_COMPRESS_LOGFILES = "true" ]]; then + for f in /var/log/nagios/archives/*.log ; do + if [[ -r $f ]] ; then + /usr/bin/bzip2 "$f" fi done fi ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org