Security update for icinga SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3258-1 Final 1 1 2018-10-19T11:14:04Z current 2018-10-19T11:14:04Z 2018-10-19T11:14:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for icinga This update for icinga fixes the following issues: Update to 1.14.0 - CVE-2015-8010: Fixed XSS in the icinga classic UI (boo#952777) - CVE-2016-8641 / CVE-2016-10089: fixed a possible symlink attack for files/dirs created by root (boo#1011630 and boo#1018047) - CVE-2016-0726: removed the pre-configured administrative account with fixed password for the WebUI - (boo#961115) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00043.html E-Mail link for openSUSE-SU-2018:3258-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 icinga-1.14.0-8.3.2 icinga-devel-1.14.0-8.3.2 icinga-doc-1.14.0-8.3.2 icinga-idoutils-1.14.0-8.3.2 icinga-idoutils-mysql-1.14.0-8.3.2 icinga-idoutils-oracle-1.14.0-8.3.2 icinga-idoutils-pgsql-1.14.0-8.3.2 icinga-plugins-downtimes-1.14.0-8.3.2 icinga-plugins-eventhandlers-1.14.0-8.3.2 icinga-www-1.14.0-8.3.2 icinga-www-config-1.14.0-8.3.2 monitoring-tools-1.14.0-8.3.2 icinga-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-devel-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-doc-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-idoutils-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-idoutils-mysql-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-idoutils-oracle-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-idoutils-pgsql-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-plugins-downtimes-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-plugins-eventhandlers-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-www-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 icinga-www-config-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 monitoring-tools-1.14.0-8.3.2 as a component of openSUSE Leap 42.3 Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi. CVE-2015-8010 openSUSE Leap 42.3:icinga-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-devel-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-doc-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-mysql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-oracle-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-pgsql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-downtimes-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-eventhandlers-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-config-1.14.0-8.3.2 openSUSE Leap 42.3:monitoring-tools-1.14.0-8.3.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00043.html https://www.suse.com/security/cve/CVE-2015-8010.html CVE-2015-8010 https://bugzilla.suse.com/952777 SUSE Bug 952777 The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. CVE-2016-0726 openSUSE Leap 42.3:icinga-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-devel-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-doc-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-mysql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-oracle-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-pgsql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-downtimes-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-eventhandlers-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-config-1.14.0-8.3.2 openSUSE Leap 42.3:monitoring-tools-1.14.0-8.3.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00043.html https://www.suse.com/security/cve/CVE-2016-0726.html CVE-2016-0726 https://bugzilla.suse.com/961115 SUSE Bug 961115 Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641. CVE-2016-10089 openSUSE Leap 42.3:icinga-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-devel-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-doc-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-mysql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-oracle-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-pgsql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-downtimes-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-eventhandlers-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-config-1.14.0-8.3.2 openSUSE Leap 42.3:monitoring-tools-1.14.0-8.3.2 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00043.html https://www.suse.com/security/cve/CVE-2016-10089.html CVE-2016-10089 https://bugzilla.suse.com/1011630 SUSE Bug 1011630 https://bugzilla.suse.com/1018047 SUSE Bug 1018047 A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change. CVE-2016-8641 openSUSE Leap 42.3:icinga-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-devel-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-doc-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-mysql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-oracle-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-idoutils-pgsql-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-downtimes-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-plugins-eventhandlers-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-1.14.0-8.3.2 openSUSE Leap 42.3:icinga-www-config-1.14.0-8.3.2 openSUSE Leap 42.3:monitoring-tools-1.14.0-8.3.2 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00043.html https://www.suse.com/security/cve/CVE-2016-8641.html CVE-2016-8641 https://bugzilla.suse.com/1011630 SUSE Bug 1011630 https://bugzilla.suse.com/1018047 SUSE Bug 1018047