Nagstamon: Information disclosure — GLSA 201401-03

A vulnerability in Nagstamon could expose user credentials to a remote attacker.

Affected Packages

net-analyzer/nagstamon on all architectures
Affected versions < 0.9.11_rc1
Unaffected versions >= 0.9.11_rc1

Background

Nagstamon is a Nagios status monitor application.

Description

Nagstamon’s automatic request to check for updates includes plaintext username and password information for one of the monitor servers that the Nagstamon instance connects to.

Impact

A remote attacker could eavesdrop on this request and gain user credentials for a monitor server.

Workaround

There is no known workaround at this time.

Resolution

All Nagstamon users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=net-analyzer/nagstamon-0.9.11_rc1"
 

References

Release Date
January 06, 2014

Latest Revision
January 06, 2014: 2

Severity
high

Exploitable
remote

Bugzilla entries