Security update for nagios SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0500-1 Final 1 1 2020-04-11T10:16:04Z current 2020-04-11T10:16:04Z 2020-04-11T10:16:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nagios This update for nagios to version 4.4.5 fixes the following issues: - CVE-2019-3698: Symbolic link following vulnerability in the cronjob allows local attackers to cause cause DoS or potentially escalate privileges. (boo#1156309) - CVE-2018-18245: Fixed XSS vulnerability in Alert Summary report (boo#1119832) - CVE-2018-13441, CVE-2018-13458, CVE-2018-13457: Fixed a few denial of service vulnerabilities caused by null pointer dereference (boo#1101293, boo#1101289, boo#1101290). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-500 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HKTKWPRP5BSNBXHHJ3JC2CHRRZALRC26/ E-Mail link for openSUSE-SU-2020:0500-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1028975 SUSE Bug 1028975 https://bugzilla.suse.com/1119832 SUSE Bug 1119832 https://bugzilla.suse.com/1156309 SUSE Bug 1156309 https://www.suse.com/security/cve/CVE-2018-13441/ SUSE CVE CVE-2018-13441 page https://www.suse.com/security/cve/CVE-2018-13457/ SUSE CVE CVE-2018-13457 page https://www.suse.com/security/cve/CVE-2018-13458/ SUSE CVE CVE-2018-13458 page https://www.suse.com/security/cve/CVE-2018-18245/ SUSE CVE CVE-2018-18245 page https://www.suse.com/security/cve/CVE-2019-3698/ SUSE CVE CVE-2019-3698 page openSUSE Leap 15.1 nagios-4.4.5-lp151.5.4.1 nagios-contrib-4.4.5-lp151.5.4.1 nagios-devel-4.4.5-lp151.5.4.1 nagios-theme-exfoliation-4.4.5-lp151.5.4.1 nagios-www-4.4.5-lp151.5.4.1 nagios-www-dch-4.4.5-lp151.5.4.1 nagios-4.4.5-lp151.5.4.1 as a component of openSUSE Leap 15.1 nagios-contrib-4.4.5-lp151.5.4.1 as a component of openSUSE Leap 15.1 nagios-devel-4.4.5-lp151.5.4.1 as a component of openSUSE Leap 15.1 nagios-theme-exfoliation-4.4.5-lp151.5.4.1 as a component of openSUSE Leap 15.1 nagios-www-4.4.5-lp151.5.4.1 as a component of openSUSE Leap 15.1 nagios-www-dch-4.4.5-lp151.5.4.1 as a component of openSUSE Leap 15.1 qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. CVE-2018-13441 openSUSE Leap 15.1:nagios-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-contrib-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-devel-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-theme-exfoliation-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-dch-4.4.5-lp151.5.4.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HKTKWPRP5BSNBXHHJ3JC2CHRRZALRC26/ https://www.suse.com/security/cve/CVE-2018-13441.html CVE-2018-13441 https://bugzilla.suse.com/1101293 SUSE Bug 1101293 qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. CVE-2018-13457 openSUSE Leap 15.1:nagios-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-contrib-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-devel-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-theme-exfoliation-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-dch-4.4.5-lp151.5.4.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HKTKWPRP5BSNBXHHJ3JC2CHRRZALRC26/ https://www.suse.com/security/cve/CVE-2018-13457.html CVE-2018-13457 https://bugzilla.suse.com/1101290 SUSE Bug 1101290 qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. CVE-2018-13458 openSUSE Leap 15.1:nagios-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-contrib-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-devel-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-theme-exfoliation-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-dch-4.4.5-lp151.5.4.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HKTKWPRP5BSNBXHHJ3JC2CHRRZALRC26/ https://www.suse.com/security/cve/CVE-2018-13458.html CVE-2018-13458 https://bugzilla.suse.com/1101289 SUSE Bug 1101289 Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE. CVE-2018-18245 openSUSE Leap 15.1:nagios-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-contrib-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-devel-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-theme-exfoliation-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-dch-4.4.5-lp151.5.4.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HKTKWPRP5BSNBXHHJ3JC2CHRRZALRC26/ https://www.suse.com/security/cve/CVE-2018-18245.html CVE-2018-18245 https://bugzilla.suse.com/1119832 SUSE Bug 1119832 UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux Enterprise Server 12 nagios version 3.5.1-5.27 and prior versions. SUSE Linux Enterprise Server 11 nagios version 3.0.6-1.25.36.3.1 and prior versions. openSUSE Factory nagios version 4.4.5-2.1 and prior versions. CVE-2019-3698 openSUSE Leap 15.1:nagios-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-contrib-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-devel-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-theme-exfoliation-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-4.4.5-lp151.5.4.1 openSUSE Leap 15.1:nagios-www-dch-4.4.5-lp151.5.4.1 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HKTKWPRP5BSNBXHHJ3JC2CHRRZALRC26/ https://www.suse.com/security/cve/CVE-2019-3698.html CVE-2019-3698 https://bugzilla.suse.com/1150550 SUSE Bug 1150550 https://bugzilla.suse.com/1156309 SUSE Bug 1156309