| Errata ID | 363 |
|---|---|
| Date | 2016-12-21 |
| Source package | nagios3 |
| Fixed in version | 3.4.1-3.54.201612191342 |
| Description | This update addresses the following issues: * A stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi(CVE-2014-1878) * MagpieRSS, as used in the front-end component in Nagios Core might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796 (CVE-2016-9565) * base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565 (CVE-2016-9566) |
| Additional notes | |
| CVE ID | CVE-2014-1878 CVE-2016-9565 CVE-2016-9566 |
| UCS Bug number | #37088 |
