You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Sumit Mohanty (JIRA)" <ji...@apache.org> on 2013/04/15 19:22:15 UTC
[jira] [Resolved] (AMBARI-1934) Security vulnerability with Ganglia
and Nagios
[ https://issues.apache.org/jira/browse/AMBARI-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sumit Mohanty resolved AMBARI-1934.
-----------------------------------
Resolution: Fixed
> Security vulnerability with Ganglia and Nagios
> ----------------------------------------------
>
> Key: AMBARI-1934
> URL: https://issues.apache.org/jira/browse/AMBARI-1934
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 1.3.0
> Reporter: Sumit Mohanty
> Assignee: Sumit Mohanty
> Fix For: 1.3.0
>
> Attachments: AMBARI-1934.patch
>
>
> Ganglia Issue :
> Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.
> http://ganglia.info/?p=549
> Ganglia Web 3.5.1 Release – Security Advisory
> There is a security issue in Ganglia Web going back to at least 3.1.7 which can lead to arbitrary script being executed with web user privileges possibly leading to a machine compromise. Issue has been fixed in the latest version of Ganglia Web which can be downloaded from https://sourceforge.net/projects/ganglia/files/ganglia-web/3.5.1/
> Solution:
> Need to get upgraded rpms with the Ganglia Web version 3.5.7 which has the fix for this vulnerability.
> Nagios:
> Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.
> http://www.nagios.org/projects/nagioscore/history/core-3x
> http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html
> Vulnerable software and versions - nagios:nagios:3.4.3 and previous versions
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira