Security update for icinga SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0146-1 Final 1 1 2017-01-16T14:58:59Z current 2017-01-16T14:58:59Z 2017-01-16T14:58:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for icinga This update for icinga includes various upstream fixes and the following security security fixes: - icinga was updated to version 1.14.0 - the classic-UI was vulnerable to a cross site scripting attack (CVE-2015-8010, boo#952777) - A user with nagios privileges could have gained root privileges by placing a symbolic link at the logfile location (CVE-2016-9566, boo#1014637) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00019.html E-Mail link for openSUSE-SU-2017:0146-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 icinga-1.14.0-4.1 icinga-devel-1.14.0-4.1 icinga-doc-1.14.0-4.1 icinga-idoutils-1.14.0-4.1 icinga-idoutils-mysql-1.14.0-4.1 icinga-idoutils-oracle-1.14.0-4.1 icinga-idoutils-pgsql-1.14.0-4.1 icinga-plugins-downtimes-1.14.0-4.1 icinga-plugins-eventhandlers-1.14.0-4.1 icinga-www-1.14.0-4.1 icinga-www-config-1.14.0-4.1 monitoring-tools-1.14.0-4.1 icinga-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-devel-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-doc-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-idoutils-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-idoutils-mysql-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-idoutils-oracle-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-idoutils-pgsql-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-plugins-downtimes-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-plugins-eventhandlers-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-www-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-www-config-1.14.0-4.1 as a component of openSUSE Leap 42.1 monitoring-tools-1.14.0-4.1 as a component of openSUSE Leap 42.1 icinga-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-devel-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-doc-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-idoutils-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-idoutils-mysql-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-idoutils-oracle-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-idoutils-pgsql-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-plugins-downtimes-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-plugins-eventhandlers-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-www-1.14.0-4.1 as a component of openSUSE Leap 42.2 icinga-www-config-1.14.0-4.1 as a component of openSUSE Leap 42.2 monitoring-tools-1.14.0-4.1 as a component of openSUSE Leap 42.2 Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi. CVE-2015-8010 openSUSE Leap 42.1:icinga-1.14.0-4.1 openSUSE Leap 42.1:icinga-devel-1.14.0-4.1 openSUSE Leap 42.1:icinga-doc-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-mysql-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-oracle-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-pgsql-1.14.0-4.1 openSUSE Leap 42.1:icinga-plugins-downtimes-1.14.0-4.1 openSUSE Leap 42.1:icinga-plugins-eventhandlers-1.14.0-4.1 openSUSE Leap 42.1:icinga-www-1.14.0-4.1 openSUSE Leap 42.1:icinga-www-config-1.14.0-4.1 openSUSE Leap 42.1:monitoring-tools-1.14.0-4.1 openSUSE Leap 42.2:icinga-1.14.0-4.1 openSUSE Leap 42.2:icinga-devel-1.14.0-4.1 openSUSE Leap 42.2:icinga-doc-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-mysql-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-oracle-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-pgsql-1.14.0-4.1 openSUSE Leap 42.2:icinga-plugins-downtimes-1.14.0-4.1 openSUSE Leap 42.2:icinga-plugins-eventhandlers-1.14.0-4.1 openSUSE Leap 42.2:icinga-www-1.14.0-4.1 openSUSE Leap 42.2:icinga-www-config-1.14.0-4.1 openSUSE Leap 42.2:monitoring-tools-1.14.0-4.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00019.html https://www.suse.com/security/cve/CVE-2015-8010.html CVE-2015-8010 https://bugzilla.suse.com/952777 SUSE Bug 952777 base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. CVE-2016-9566 openSUSE Leap 42.1:icinga-1.14.0-4.1 openSUSE Leap 42.1:icinga-devel-1.14.0-4.1 openSUSE Leap 42.1:icinga-doc-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-mysql-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-oracle-1.14.0-4.1 openSUSE Leap 42.1:icinga-idoutils-pgsql-1.14.0-4.1 openSUSE Leap 42.1:icinga-plugins-downtimes-1.14.0-4.1 openSUSE Leap 42.1:icinga-plugins-eventhandlers-1.14.0-4.1 openSUSE Leap 42.1:icinga-www-1.14.0-4.1 openSUSE Leap 42.1:icinga-www-config-1.14.0-4.1 openSUSE Leap 42.1:monitoring-tools-1.14.0-4.1 openSUSE Leap 42.2:icinga-1.14.0-4.1 openSUSE Leap 42.2:icinga-devel-1.14.0-4.1 openSUSE Leap 42.2:icinga-doc-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-mysql-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-oracle-1.14.0-4.1 openSUSE Leap 42.2:icinga-idoutils-pgsql-1.14.0-4.1 openSUSE Leap 42.2:icinga-plugins-downtimes-1.14.0-4.1 openSUSE Leap 42.2:icinga-plugins-eventhandlers-1.14.0-4.1 openSUSE Leap 42.2:icinga-www-1.14.0-4.1 openSUSE Leap 42.2:icinga-www-config-1.14.0-4.1 openSUSE Leap 42.2:monitoring-tools-1.14.0-4.1 important 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00019.html https://www.suse.com/security/cve/CVE-2016-9566.html CVE-2016-9566 https://bugzilla.suse.com/1014637 SUSE Bug 1014637