Bug 958002 (CVE-2013-4214)
Summary: | CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage | |||
---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | |
Status: | CLOSED ERRATA | QA Contact: | ||
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | unspecified | CC: | avibelli, coneill, gmollett, gmurphy, gsterlin, jbalunas, jkt, jrusnack, jshepherd, kseifried, rrajasek, security-response-team, tjay, tkirby | |
Target Milestone: | --- | Keywords: | Security | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 957481 | |||
: | CVE-2013-2029 (view as bug list) | Environment: | ||
Last Closed: | 2014-03-07 02:15:48 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 994762, 994764, 994779, 994780 | |||
Bug Blocks: | 958515 |
Description
Kurt Seifried
2013-04-30 05:41:43 UTC
This has been reported upstream: http://tracker.nagios.org/view.php?id=450 Created nagios tracking bugs for this issue: Affects: fedora-all [bug 994779] Affects: epel-6 [bug 994780] This is not fixed by nagios 3.5.1. define('MAGPIE_DIR', './includes/rss/'); define('MAGPIE_CACHE_ON', 0); define('MAGPIE_CACHE_AGE', 0); define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache'); Defining MAGPIE_CACHE_ON to 1 is required in order for MAGPIE_CACHE_DIR to be used. rss_newsfeed.php disables the cache, so this directory is not used without editing the PHP code (note: *not* a configuration file). As it is unused without editing the rss-newsfeed.php file, I will simply comment the line out *and* replace it with a usage comment. Acknowledgements: This issue was discovered by Grant Murphy of the Red Hat Product Security Team. This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1526 https://rhn.redhat.com/errata/RHSA-2013-1526.html nagios-4.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |