From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-2419-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 5FE25138334
	for <garchives@archives.gentoo.org>; Sun,  2 Dec 2018 15:57:29 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D7AA0E09F4;
	Sun,  2 Dec 2018 15:52:49 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 22474E083D
	for <gentoo-announce@lists.gentoo.org>; Sun,  2 Dec 2018 15:49:20 +0000 (UTC)
Received: from localhost (pool-108-45-63-132.washdc.fios.verizon.net [108.45.63.132])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: bman)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 9FEA5335C03
	for <gentoo-announce@lists.gentoo.org>; Sun,  2 Dec 2018 15:49:18 +0000 (UTC)
Date: Sun, 2 Dec 2018 10:49:15 -0500
From: Aaron Bauman <bman@gentoo.org>
To: gentoo-announce@lists.gentoo.org
Subject: [gentoo-announce] [ GLSA 201812-03 ] Nagios: Privilege escalation
Message-ID: <20181202154915.GC16376@monkey>
Reply-To: security@gentoo.org
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="XWOWbaMNXpFDWE00"
Content-Disposition: inline
User-Agent: Mutt/1.11.0 (2018-11-25)
X-Archives-Salt: a5c33dd2-28c0-4873-8b11-e323bd2667bb
X-Archives-Hash: b052ab02160a9256fcfd47a836651f7f


--XWOWbaMNXpFDWE00
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201812-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Nagios: Privilege escalation
     Date: December 02, 2018
     Bugs: #629380
       ID: 201812-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

A vulnerability in Nagios allows local users to escalate privileges.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Nagios is an open source host, service and network monitoring program.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  net-analyzer/nagios-core
                                  < 4.3.4                    >=3D 4.3.4=20

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

A vulnerability in Nagios was discovered due to the improper handling
of configuration files which can be owned by a non-root user.

Impact
=3D=3D=3D=3D=3D=3D

A local attacker can escalate privileges to root by leveraging access
to a non-root owned configuration file.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All Nagios users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=3Dnet-analyzer/nagios-core-4.3.4"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ 1 ] CVE-2017-14312
      https://nvd.nist.gov/vuln/detail/CVE-2017-14312

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201812-03

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

--XWOWbaMNXpFDWE00
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEyBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlwD/vsACgkQpRQw84X1
dt3tOgfxASRVa9iQmaJGXl5f0VjK/2gghzKo3Q/TCGuJgr9cTOk3nWSvi2s4cMJ9
O4tvceqQbLg7rK2inWoMS6v2BEPmuFrGu0erp0pQtdV8Fcsp1gUk7kLvGQXHRYsB
R8IrFc7N44b83XiUWwNhLkZ8bF1BREeRzonTn0Oo3hxiDLsv54UyLlboQxzAenn5
vHLkAHo/9RTeyLWX6ooaNL6AMGXN95erGIDgNwB4ie3iuLi4eMjyAAux5EqYyvaH
6s7+M+RNAMuLw2wt1jRf8eNvGSHk2N9WGireryh+vmmttI8Ty/FXIP2S8+G4JWoN
gBRTcInfNp8EJwr7yBFVj4/jsO3p
=nkFD
-----END PGP SIGNATURE-----

--XWOWbaMNXpFDWE00--