Bug 1098548 - CVE-2014-4702 nagios-plugins: various flaws [fedora-all]
Summary: CVE-2014-4702 nagios-plugins: various flaws [fedora-all]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nagios-plugins
Version: 23
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Sam Kottler
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: fst_ping=4, fst_owner=dcafaro
Depends On:
Blocks: CVE-2014-4701, CVE-2014-4703 CVE-2014-4702
TreeView+ depends on / blocked
 
Reported: 2014-05-16 14:11 UTC by Vasyl Kaigorodov
Modified: 2015-08-18 05:27 UTC (History)
10 users (show)

Fixed In Version: nagios-plugins-2.0.3-1.fc23
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-18 05:13:52 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-05-16 14:11:27 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s).  This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.

NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time.  If you need to fix the versions independent of each other,
you may clone this bug as appropriate.

[bug automatically created by: add-tracking-bugs]

Comment 1 Vasyl Kaigorodov 2014-05-16 14:11:35 UTC
Use the following update submission link to create the Bodhi request for
this issue as it contains the top-level parent bug(s) as well as this
tracking bug.  This will ensure that all associated bugs get updated when
new packages are pushed to stable.

IMPORTANT: ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1098531,1098548

Comment 2 Murray McAllister 2014-07-01 06:46:42 UTC
Adding parent bug 1114841 (for CVE-2014-4702).  Please use this new bodhi update url when correcting these flaws:

https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1098548,1098531,1114841

Comment 3 Igor Gnatenko 2014-07-12 07:36:45 UTC
Please update to 2.0.3 in Fedora 19, 20, 21, 22 (rawhide), EPEL7.

Comment 4 pjp 2014-12-03 18:27:51 UTC
Hello s,

Could you please fix this soon?

Comment 5 Eric Christensen 2015-04-06 19:06:09 UTC
Can this package be updated to fix these security issues, please?

Comment 6 Eric Christensen 2015-04-23 13:20:48 UTC
Can an update be pushed for this package?

If I don't hear back by Monday I'll be starting a non-responsive packager process on this package.

Comment 7 Sam Kottler 2015-04-30 13:21:50 UTC
Sorry for taking so long to get back to you. I'll work on updating the package immediately to take care of the vulnerabilities.

Comment 8 Eric Christensen 2015-05-07 13:29:44 UTC
(In reply to Sam Kottler from comment #7)
> Sorry for taking so long to get back to you. I'll work on updating the
> package immediately to take care of the vulnerabilities.

Awesome, thank you!

Comment 9 Eric Christensen 2015-05-21 13:54:40 UTC
Could you provide an update on this?  Thanks.

Comment 10 Fedora End Of Life 2015-05-29 11:52:09 UTC
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 11 David A. Cafaro 2015-06-13 02:09:58 UTC
We still need updates for Fedora 21, 22, Rawhide for this.  Are you out there?

Comment 12 David A. Cafaro 2015-06-16 13:05:37 UTC
This will have to be taken to unresponsive maintainer proccess if we don't get a response soon.

Comment 13 Jan Kurik 2015-07-15 14:40:32 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 14 Nick Bebout 2015-07-27 17:15:07 UTC
Sam, Scott Wilkerson from upstream Nagios is interested in being a comaintainer for nagios-plugins.  Would you be ok with this?

Comment 15 David A. Cafaro 2015-07-27 17:47:17 UTC
Sam's email account associated with this ticket as well as the fedoraproject email (which forwards to the other) are both bouncing now as host or domain name not found.

Comment 16 Sam Kottler 2015-07-27 20:38:03 UTC
Sorry for not responding due to my email being broken (the cobblers children have no shoes, etc). I oppose having Nagios Enterprises involved in the the package. Their open source track record is almost comical [1][2] and they participated in a hostile takeover of this package [3]. I would like to carry on as the sole maintainer of this package rather than having them involved.

1. https://www.youtube.com/watch?v=YgbbyyNIiHc
2. https://bugzilla.redhat.com/show_bug.cgi?id=1054340
3. http://188.226.141.232/2014/01/20/on-the-nagios-plugins-drama/

Comment 17 David A. Cafaro 2015-07-27 20:57:16 UTC
Please do not forget this one either https://bugzilla.redhat.com/show_bug.cgi?id=1098549

Comment 18 David A. Cafaro 2015-07-27 21:16:09 UTC
I would also like to make sure it clear, I reached out to Nagios to possibly help support this package when I was originally unable to get in touch with maintainer.  This proposal was not their idea, it was initiated by me (with no relation to Nagios corp).  My goal is solely to get things patched on a timely basis (which one year old bugs are not) as a Fedora Security Team member.  I was unaware of the past history.

Comment 19 Scott Wilkerson 2015-07-28 14:08:18 UTC
Sam,

First, Nagios Enterprises never participated in a hostile takeover of the package as you claim, we merely were voicing our opinion that it would not be right to change the upstream for the package as you were trying to do.

In your own words posted here:
http://188.226.141.232/2014/01/20/on-the-nagios-plugins-drama/

"I’m not particuarly interested in working with Nagios Enterprises given their openly hostile views toward the community. I’ll continue to maintain nagios-plugins for the foreseeable future, but once the monitoring-plugins package is available for end-users and has reasonable adoption I may orphan the nagios-plugins package."

Doesn't that contradict what a package maintainer is supposed to do?
https://fedoraproject.org/wiki/Staying_close_to_upstream_projects 

Instead, you are leaving CVE's unaddressed for over a year, seemingly on purpose to tarnish the project in favor of the new team you are working with.

https://www.monitoring-plugins.org/team.html

You are currently holding this package hostage, instead of actually maintaining it and keeping the best interest of the Fedora users in mind.

Comment 20 David A. Cafaro 2015-08-05 13:47:45 UTC
Still long overdue for an update.

Comment 21 Josh Boyer 2015-08-05 14:29:56 UTC
To my knowledge, nagios-plugins 2.0.3 should fix all the specified CVEs.  Is that accurate?

Comment 22 Scott Wilkerson 2015-08-05 14:37:41 UTC
(In reply to Josh Boyer from comment #21)
> To my knowledge, nagios-plugins 2.0.3 should fix all the specified CVEs.  Is
> that accurate?

As far as I am aware this is correct.

Comment 23 Josh Boyer 2015-08-05 18:41:16 UTC
I've committed an update to 2.0.3 on all active branches and started builds.  Updates will be filed shortly after they complete.

Comment 24 Fedora Update System 2015-08-05 18:57:33 UTC
nagios-plugins-2.0.3-1.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.fc23

Comment 25 Fedora Update System 2015-08-05 18:58:44 UTC
nagios-plugins-2.0.3-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.fc22

Comment 26 Fedora Update System 2015-08-05 18:59:26 UTC
nagios-plugins-2.0.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.fc21

Comment 27 Scott Wilkerson 2015-08-05 19:13:19 UTC
(In reply to Josh Boyer from comment #23)
> I've committed an update to 2.0.3 on all active branches and started builds.
> Updates will be filed shortly after they complete.

Would you also be willing to update the following branches:

el6
epel7

Comment 28 Josh Boyer 2015-08-05 19:23:44 UTC
I've asked Kevin Fenzi to look into the epel branches.  I have no experience there.

Comment 29 Fedora Update System 2015-08-05 21:16:47 UTC
nagios-plugins-2.0.3-1.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.el7

Comment 30 Fedora Update System 2015-08-05 21:31:08 UTC
nagios-plugins-2.0.3-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/nagios-plugins-2.0.3-1.el6

Comment 31 Fedora Update System 2015-08-06 16:00:43 UTC
Package nagios-plugins-2.0.3-1.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nagios-plugins-2.0.3-1.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-12853/nagios-plugins-2.0.3-1.fc23
then log in and leave karma (feedback).

Comment 32 Fedora Update System 2015-08-18 05:13:52 UTC
nagios-plugins-2.0.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2015-08-18 05:22:03 UTC
nagios-plugins-2.0.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2015-08-18 05:27:55 UTC
nagios-plugins-2.0.3-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.