DSA-1825-1 nagios2, nagios3 -- insufficient input validationID: oval:org.secpod.oval:def:600246 | Date: (C)2011-05-13 (M)2022-10-10 |
Class: PATCH | Family: unix |
It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters. For the oldstable distribution , this problem has been fixed in version 2.6-2+etch3 of nagios2. For the stable distribution , this problem has been fixed in version 3.0.6-4~lenny2 of nagios3. For the testing distribution , this problem has been fixed in version 3.0.6-5 of nagios3. For the unstable distribution , this problem has been fixed in version 3.0.6-5 of nagios3. We recommend that you upgrade your nagios2/nagios3 packages.