incubator-ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mahadev konar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-1934) Security vulnerability with Ganglia and Nagios
Date Mon, 15 Apr 2013 17:02:17 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13631865#comment-13631865
] 

Mahadev konar commented on AMBARI-1934:
---------------------------------------

+1 for the patch.
                
> Security vulnerability with Ganglia and Nagios
> ----------------------------------------------
>
>                 Key: AMBARI-1934
>                 URL: https://issues.apache.org/jira/browse/AMBARI-1934
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Sumit Mohanty
>            Assignee: Sumit Mohanty
>             Fix For: 1.3.0
>
>         Attachments: AMBARI-1934.patch
>
>
> Ganglia Issue : 
> Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute
arbitrary PHP code via unknown attack vectors. 
> http://ganglia.info/?p=549 
> Ganglia Web 3.5.1 Release – Security Advisory 
> There is a security issue in Ganglia Web going back to at least 3.1.7 which can lead
to arbitrary script being executed with web user privileges possibly leading to a machine
compromise. Issue has been fixed in the latest version of Ganglia Web which can be downloaded
from https://sourceforge.net/projects/ganglia/files/ganglia-web/3.5.1/ 
> Solution: 
> Need to get upgraded rpms with the Ganglia Web version 3.5.7 which has the fix for this
vulnerability.
> Nagios: 
> Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios
Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4,
might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host
parameter) or (2) svc_description variable. 
> http://www.nagios.org/projects/nagioscore/history/core-3x 
> http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html 
> Vulnerable software and versions - nagios:nagios:3.4.3 and previous versions 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message