Advisories ยป MGASA-2019-0104

Updated nagios packages fix security vulnerability

Publication date: 07 Mar 2019
Modification date: 07 Mar 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-13441 , CVE-2018-13457 , CVE-2018-13458 , CVE-2018-18245

Description

A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_help
function is prone to a NULL pointer dereference vulnerability, which allows
attacker to cause a local denial-of-service condition by sending a crafted
payload to the listening UNIX socket (CVE-2018-13441).

A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_echo
function is prone to a NULL pointer dereference vulnerability, which allows
attacker to cause a local denial-of-service condition by sending a crafted
payload to the listening UNIX socket (CVE-2018-13457).

A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_core
function is prone to a NULL pointer dereference vulnerability, which allows
attacker to cause a local denial-of-service condition by sending a crafted
payload to the listening UNIX socket (CVE-2018-13458).

A cross-site scripting (XSS) vulnerability has been discovered in Nagios
Core. This vulnerability allows attackers to place malicious JavaScript
code into the web frontend through manipulation of plugin output. In order
to do this the attacker needs to be able to manipulate the output returned
by nagios checks, e.g. by replacing a plugin on one of the monitored
endpoints. Execution of the payload then requires that an authenticated
user creates an alert summary report which contains the corresponding
output (CVE-2018-18245).

References

SRPMS

6/core