Bug 446379 (CVE-2007-5803)

Summary: CVE-2007-5803 nagios: XSS vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: linux, mmcgrath, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5803
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 23:16:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 437850, 445512, 446381, 446382, 446383    
Bug Blocks:    
Attachments:
Description Flags
SuSE patch none

Description Tomas Hoger 2008-05-14 12:28:01 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5803 to the following vulnerability:

Cross-site scripting (XSS) vulnerability in Nagios allows remote
attackers to inject arbitrary web script or HTML via unknown vectors,
a different vulnerability than CVE-2007-5624 and CVE-2008-1360.

References:
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://secunia.com/advisories/30202

Note:
This was reported as an incomplete fix for CVE-2007-5624.
Comment 1 Tomas Hoger 2008-05-14 12:29:28 UTC 
Created attachment 305354 [details]
SuSE patch

This is *NOT* fixed in the upstream version 2.11.

(Extracted from SuSE nagios-2.9-48.4.src.rpm)
Comment 3 Tomas Hoger 2008-06-09 15:52:24 UTC 
Now fixed upstream in 3.0.2 and 2.12:

  http://www.nagios.org/development/history/nagios-3x.php
  http://www.nagios.org/development/history/nagios-2x.php
Comment 4 romal 2008-10-20 18:47:18 UTC 
We have Nagios 3.0.4 in Rawhide. Should we close this bug ?
Comment 5 Tomas Hoger 2008-10-21 06:28:39 UTC 
Purpose of the bugs filed against 'Security Response' product is to remain open until the issue is addressed in all affected versions of all affected products (either Fedora or Red Hat products).  This still remains unfixed in at least F8/F9.
Comment 6 Vincent Danen 2010-12-22 23:16:44 UTC 
Fedora 8 and 9 are EOL, latest Fedora and EPEL have the fixed version.