An user details information exposure flaw was found in the way Nagstamon, Nagios status monitor for desktop, performed automated requests to get information about available updates. Remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request, when the HTTP Basic authentication scheme was used. References: [1] http://nagstamon.ifw-dresden.de/docs/security/
This issue affects the versions of the nagstamon package, as shipped with Fedora release of 18 and 19. Please schedule an update.
Created nagstamon tracking bugs for this issue: Affects: fedora-all [bug 983675]
CVE Request: http://www.openwall.com/lists/oss-security/2013/07/11/3
The CVE identifier of CVE-2013-4114 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/07/11/7
Reply from Henry Wahl of nagstamon upstream regarding the fix availability for 0.9.9 version: Hi, For those who want to fix a 0.9.9 package there is an updated version at Github: https://github.com/HenriWahl/Nagstamon/tree/0.9.9.1 . Anyway it is a better idea to upgrade to 0.9.10. Regards Henri -- Henri Wahl IT Department Leibniz-Institut für Festkoerper- u. Werkstoffforschung Dresden
Hi, I'm nagstamon maintainer. Updated version without security hole available in updates-testing repo, for update: yum --enablerepo=updates-testing update nagstamon It's actual for Fedora 18 and 19. I'll update nagstamon to 0.9.10 after updates, that's now in testing, will be pushed to updates stable repo.