This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Use the following update submission link to create the Bodhi request for
this issue as it contains the top-level parent bug(s) as well as this
tracking bug. This will ensure that all associated bugs get updated when
new packages are pushed to stable.
IMPORTANT: ensure that the "Close bugs when update is stable" option
Bodhi update submission link:
Adding parent bug 1114841 (for CVE-2014-4702). Please use this new bodhi update url when correcting these flaws:
Please update to 2.0.3 in Fedora 19, 20, 21, 22 (rawhide), EPEL7.
Could you please fix this soon?
Can this package be updated to fix these security issues, please?
Can an update be pushed for this package?
If I don't hear back by Monday I'll be starting a non-responsive packager process on this package.
Sorry for taking so long to get back to you. I'll work on updating the package immediately to take care of the vulnerabilities.
(In reply to Sam Kottler from comment #7)
> Sorry for taking so long to get back to you. I'll work on updating the
> package immediately to take care of the vulnerabilities.
Awesome, thank you!
Could you provide an update on this? Thanks.
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora 'version'
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 20 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
We still need updates for Fedora 21, 22, Rawhide for this. Are you out there?
This will have to be taken to unresponsive maintainer proccess if we don't get a response soon.
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.
(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)
More information and reason for this action is here:
Sam, Scott Wilkerson from upstream Nagios is interested in being a comaintainer for nagios-plugins. Would you be ok with this?
Sam's email account associated with this ticket as well as the fedoraproject email (which forwards to the other) are both bouncing now as host or domain name not found.
Sorry for not responding due to my email being broken (the cobblers children have no shoes, etc). I oppose having Nagios Enterprises involved in the the package. Their open source track record is almost comical  and they participated in a hostile takeover of this package . I would like to carry on as the sole maintainer of this package rather than having them involved.
Please do not forget this one either https://bugzilla.redhat.com/show_bug.cgi?id=1098549
I would also like to make sure it clear, I reached out to Nagios to possibly help support this package when I was originally unable to get in touch with maintainer. This proposal was not their idea, it was initiated by me (with no relation to Nagios corp). My goal is solely to get things patched on a timely basis (which one year old bugs are not) as a Fedora Security Team member. I was unaware of the past history.
First, Nagios Enterprises never participated in a hostile takeover of the package as you claim, we merely were voicing our opinion that it would not be right to change the upstream for the package as you were trying to do.
In your own words posted here:
"I’m not particuarly interested in working with Nagios Enterprises given their openly hostile views toward the community. I’ll continue to maintain nagios-plugins for the foreseeable future, but once the monitoring-plugins package is available for end-users and has reasonable adoption I may orphan the nagios-plugins package."
Doesn't that contradict what a package maintainer is supposed to do?
Instead, you are leaving CVE's unaddressed for over a year, seemingly on purpose to tarnish the project in favor of the new team you are working with.
You are currently holding this package hostage, instead of actually maintaining it and keeping the best interest of the Fedora users in mind.
Still long overdue for an update.
To my knowledge, nagios-plugins 2.0.3 should fix all the specified CVEs. Is that accurate?
(In reply to Josh Boyer from comment #21)
> To my knowledge, nagios-plugins 2.0.3 should fix all the specified CVEs. Is
> that accurate?
As far as I am aware this is correct.
I've committed an update to 2.0.3 on all active branches and started builds. Updates will be filed shortly after they complete.
nagios-plugins-2.0.3-1.fc23 has been submitted as an update for Fedora 23.
nagios-plugins-2.0.3-1.fc22 has been submitted as an update for Fedora 22.
nagios-plugins-2.0.3-1.fc21 has been submitted as an update for Fedora 21.
(In reply to Josh Boyer from comment #23)
> I've committed an update to 2.0.3 on all active branches and started builds.
> Updates will be filed shortly after they complete.
Would you also be willing to update the following branches:
I've asked Kevin Fenzi to look into the epel branches. I have no experience there.
nagios-plugins-2.0.3-1.el7 has been submitted as an update for Fedora EPEL 7.
nagios-plugins-2.0.3-1.el6 has been submitted as an update for Fedora EPEL 6.
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nagios-plugins-2.0.3-1.fc23'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
nagios-plugins-2.0.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
nagios-plugins-2.0.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
nagios-plugins-2.0.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.