[Bug 1686768] Please test proposed package

Łukasz Zemczak 1686768 at bugs.launchpad.net
Mon May 22 14:48:17 UTC 2017 

Hello Aaron, or anyone else affected,

Accepted nagios3 into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu1.2 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

Status in nagios3 package in Ubuntu:
  Fix Released
Status in nagios3 source package in Trusty:
  Fix Committed
Status in nagios3 source package in Xenial:
  Fix Committed
Status in nagios3 source package in Yakkety:
  Fix Committed
Status in nagios3 source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

   * It is possible for users to see information about servers that they
  have not been given permission to see

   * A fix should be backported because this is a security problem and
  causes Nagios to leak data

   * The patch introduces the proper checks on hostgroup permissions as
  per Nagios 4.2.2

  [Test Case]

   * Configure Nagios to monitor multiple servers
   * Create a second contact called "jbloggs" (in /etc/nagios/conf.d/contacts_nagios2.cfg)
   * Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/conf.d/contacts_nagios2.cfg)
   * Set the contact_groups property for one of the servers to be "admins,oneserver"
   * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user
   * Login to Nagios as "jbloggs"
   * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below)

  [Regression Potential]

   * It's possible that this may create other issues when viewing
  hostgroups in the Nagios web interface although I have not seen any
  such issues, and this fix was deemed to be acceptable by the Nagios
  core team in Nagios 4.2.2 (tracker link below) so I think the chances
  of any issues are very low.

  [Other Info]
   
   * This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in
   * This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version

  [Original Description]

  There is a problem with the hostgroups reports that allows restricted
  contacts to see servers that do not belong to them provided they are
  in the same hostgroup.

  This issue was reported to the Nagios project in 2013 here (with
  screenshots, sample configs, etc):
  https://support.nagios.com/forum/viewtopic.php?f=7&t=21794

  It was fixed in Nagios 4.2.2 here:
  https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1
  #diff-b89a219dd5a0ac3e4e07f1dfd721dd78

  This problem exists in Nagios 3.5.x that did not exist under 3.2.x,
  however it seems likely that the fix in 4.2.2 could be backported to
  Nagios 3.5.x.

  lsb_release -rd output:
  Description:	Ubuntu 16.04.2 LTS
  Release:	16.04

  apt-cache policy nagios3 nagios3-cgi output:
  nagios3:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       3.5.1.dfsg-2.1ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  nagios3-cgi:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       3.5.1.dfsg-2.1ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

More information about the Ubuntu-sponsors mailing list