oss-sec mailing list archives

Re: CVE request: Nagios: Incomplete fix for CVE-2016-8641

From: <cve-assign () mitre org>
Date: Fri, 30 Dec 2016 16:33:24 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2016-8641 describes an attack
wherein that restricted user replaces the aforementioned path with a
symlink. The root user (via the init script) will -- the next time
Nagios is started -- give ownership of the symlink's target to Nagios's
user

An identical attack not addressed by CVE-2016-8641 works with hard
links


Use CVE-2016-10089.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYZtIlAAoJEHb/MwWLVhi2uusP/0aReE472/YzkPBswLATf8cU
0/mhc9HGu4CeDy/nORI3TOoh9XC8NSg9Cbs2r7m83/EkK8D2YZpF5swyb4uLhwL7
5wLLodraBig20Ps53GQSHfKA7/LqXiPxCZH+qdTKiZ12nv2iZm9FwP8Rlp34g4e5
7ltvnFAAXvq2P7WgF5F1+l6obSe9+Vq/Twsj6Nr+8mfeolQKEBfOWJlYThWAv572
EcXN6vDUGOzt/epWh5EM7c4CMkA/lzryylbX0Q1f6MAQ1PwavwMzrUi7iB8oBGsa
xUxgXQsQfjT4QGIJ+xHJ6MFZDmNj3QQQKdzw5sU30qopeHanJkX/dNSBmnk/ZGEW
rF7EUVNpald/KnADGGNsQGo+NkXddKt1OUfSAvNRgk7z/Dbe+0mUGM0jTz5myDi5
W6i/SbDcfPywwovORY3+Y7qltucbvawbfWaTjnoUfEPkyNc22YxaHtEnns8/o3uL
QvqSGMy+j0Ih7+VJBiQ8AobfAn4BpxYUUcaVDnK/sx0CrT9Msy8PdxRjA7ZgXR2w
rANNhtkclladIBn6ciihkr1gHQybm5qpLb0LLpdM02VHrePA5UmarFK+NjzsSPaM
sO0u8+Doed/kdKQnHHYGAr5gg+wuN58+X5Iyi/28QtVDbKYAN1SUgNDYpKJLradR
/+fzONrCZAyHkySd0TjW
=L1tp
-----END PGP SIGNATURE-----

Current thread:

CVE request: Nagios: Incomplete fix for CVE-2016-8641 Michael Orlitzky (Dec 30)
- Re: CVE request: Nagios: Incomplete fix for CVE-2016-8641 cve-assign (Dec 30)