Nagios: Multiple vulnerabilities — GLSA 201710-20

Multiple vulnerabilities have been found in Nagios, the worst of which could lead to the remote execution of arbitrary code.

Affected packages

net-analyzer/nagios-core on all architectures
Affected versions < 4.3.3
Unaffected versions >= 4.3.3

Background

Nagios is an open source host, service and network monitoring program.

Description

Multiple vulnerabilities have been discovered in Nagios. Please review the referenced CVE identifiers for details.

Impact

A remote attacker could possibly escalate privileges to root, thus allowing the execution of arbitrary code, by leveraging CVE-2016-9565. Additionally, a local attacker could cause a Denial of Service condition against arbitrary processes due to the improper dropping of privileges.

Workaround

There is no known workaround at this time.

Resolution

All Nagios users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-4.3.3"
 

References

Release date
October 18, 2017

Latest revision
October 18, 2017: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries