Bug 1098548
| Summary: | CVE-2014-4702 nagios-plugins: various flaws [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | nagios-plugins | Assignee: | Sam Kottler <s> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 23 | CC: | dac, ignatenko, jose.p.oliveira.oss, jwboyer, linux, nb, ondrejj, sparks, s, swilkerson |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | fst_ping=4, fst_owner=dcafaro | ||
| Fixed In Version: | nagios-plugins-2.0.3-1.fc23 | Doc Type: | Release Note |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-18 05:13:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1098531, 1114841 | ||
|
Description
Vasyl Kaigorodov
2014-05-16 14:11:27 UTC
Use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. IMPORTANT: ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1098531,1098548 Adding parent bug 1114841 (for CVE-2014-4702). Please use this new bodhi update url when correcting these flaws: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1098548,1098531,1114841 Please update to 2.0.3 in Fedora 19, 20, 21, 22 (rawhide), EPEL7. Hello s, Could you please fix this soon? Can this package be updated to fix these security issues, please? Can an update be pushed for this package? If I don't hear back by Monday I'll be starting a non-responsive packager process on this package. Sorry for taking so long to get back to you. I'll work on updating the package immediately to take care of the vulnerabilities. (In reply to Sam Kottler from comment #7) > Sorry for taking so long to get back to you. I'll work on updating the > package immediately to take care of the vulnerabilities. Awesome, thank you! Could you provide an update on this? Thanks. This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. We still need updates for Fedora 21, 22, Rawhide for this. Are you out there? This will have to be taken to unresponsive maintainer proccess if we don't get a response soon. This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23 Sam, Scott Wilkerson from upstream Nagios is interested in being a comaintainer for nagios-plugins. Would you be ok with this? Sam's email account associated with this ticket as well as the fedoraproject email (which forwards to the other) are both bouncing now as host or domain name not found. Sorry for not responding due to my email being broken (the cobblers children have no shoes, etc). I oppose having Nagios Enterprises involved in the the package. Their open source track record is almost comical [1][2] and they participated in a hostile takeover of this package [3]. I would like to carry on as the sole maintainer of this package rather than having them involved. 1. https://www.youtube.com/watch?v=YgbbyyNIiHc 2. https://bugzilla.redhat.com/show_bug.cgi?id=1054340 3. http://188.226.141.232/2014/01/20/on-the-nagios-plugins-drama/ Please do not forget this one either https://bugzilla.redhat.com/show_bug.cgi?id=1098549 I would also like to make sure it clear, I reached out to Nagios to possibly help support this package when I was originally unable to get in touch with maintainer. This proposal was not their idea, it was initiated by me (with no relation to Nagios corp). My goal is solely to get things patched on a timely basis (which one year old bugs are not) as a Fedora Security Team member. I was unaware of the past history. Sam, First, Nagios Enterprises never participated in a hostile takeover of the package as you claim, we merely were voicing our opinion that it would not be right to change the upstream for the package as you were trying to do. In your own words posted here: http://188.226.141.232/2014/01/20/on-the-nagios-plugins-drama/ "I’m not particuarly interested in working with Nagios Enterprises given their openly hostile views toward the community. I’ll continue to maintain nagios-plugins for the foreseeable future, but once the monitoring-plugins package is available for end-users and has reasonable adoption I may orphan the nagios-plugins package." Doesn't that contradict what a package maintainer is supposed to do? https://fedoraproject.org/wiki/Staying_close_to_upstream_projects Instead, you are leaving CVE's unaddressed for over a year, seemingly on purpose to tarnish the project in favor of the new team you are working with. https://www.monitoring-plugins.org/team.html You are currently holding this package hostage, instead of actually maintaining it and keeping the best interest of the Fedora users in mind. Still long overdue for an update. To my knowledge, nagios-plugins 2.0.3 should fix all the specified CVEs. Is that accurate? (In reply to Josh Boyer from comment #21) > To my knowledge, nagios-plugins 2.0.3 should fix all the specified CVEs. Is > that accurate? As far as I am aware this is correct. I've committed an update to 2.0.3 on all active branches and started builds. Updates will be filed shortly after they complete. nagios-plugins-2.0.3-1.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.fc23 nagios-plugins-2.0.3-1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.fc22 nagios-plugins-2.0.3-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.fc21 (In reply to Josh Boyer from comment #23) > I've committed an update to 2.0.3 on all active branches and started builds. > Updates will be filed shortly after they complete. Would you also be willing to update the following branches: el6 epel7 I've asked Kevin Fenzi to look into the epel branches. I have no experience there. nagios-plugins-2.0.3-1.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.el7 nagios-plugins-2.0.3-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.el6 Package nagios-plugins-2.0.3-1.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nagios-plugins-2.0.3-1.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-12853/nagios-plugins-2.0.3-1.fc23 then log in and leave karma (feedback). nagios-plugins-2.0.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.0.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. nagios-plugins-2.0.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |