FEDORA-EPEL-2017-328a23d1ed

security update in Fedora EPEL 6 for nagios

Status: stable 2 years ago

Added fix for selinux from Patrick Uiterwijk


Update to latest in git


Updated from 4.3.1 maint to 4.3.2


We find out that RHEL-6 does not like non-UTF so removed German translation


Major update to Nagios to address outstanding Security needs.


nagios-4.0.8-1.fc21 nagios-4.0.8-1.fc22 nagios-4.0.8-1.el6 nagios-4.0.8-1.el7 nagios-4.0.8-1.fc23

  • update to 4.0.8

How to install

sudo dnf upgrade --advisory=FEDORA-EPEL-2017-328a23d1ed

Comments 15

This update has been submitted for testing by smooge.

This update has obsoleted nagios-4.3.2-3.el6, and has inherited its bugs and notes.

I'd love to test this out and provide karma but I'm a little weary because I don't currently have a nagios install running on a development or test server where I would feel comfortable doing a major-version upgrade.

Do you know if any changes to an existing nagios config will be necessary for moving from the current EL6 version (3.5.1) to this version?

Thanks for doing these updates!!

Cheers

What I did to test in the end was to create a small virtual machine and install the packages from the existing setup. I then copied over /etc/nagios. I updated to the newest nagios and ran a nagios -v /etc/nagios/nagios.cfg to see what broke. For our setup we had customized things in a way which 'worked' in previous versions but didn't in the new version. I fixed those up and then edited my nagios.cfg differences into the nagios.cfg.rpmnew so I got the additional configs that the new version wanted.

This update has been pushed to testing.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for stable by smooge.

This update has been pushed to stable.

So this seems to be working perfectly for me and I haven't had to change any of my configs. I didn't get any errors on service nagios restart and things seem to be working as before. Are there any particular configuration settings I should look at?

Thanks for this update!!!!!

karma: +1 #1005974: +1 #1201462: +1 #1075867: +1

Hey smooge. Weird one here. I have 2 virtually identical machines running this version of nagios on Cent 6 and one of them has a strange problem where I cannot commit any changes through the nagios web admin. For exmple, disabling notifications or disabling checks of a service. When I click the commit button it spins and spins for a long time and then eventually gives a "Gateway Time-out" error. I've tried deleting retention.dat and rebooting. Any ideas? Very strange that my other nagios box does not have this problem.

Turns out its not just committing changes, nothing is working. No checks have been performed in the last 2 days. The only thing that I can see that happened that day are CentOS 6 samba updates. Downgrading those updates doesn't seem to help.

@devhen OK time to see what is different between the systems. Does one have selinux running and the other one does not? Does one have the nagios_epel6 selinux policy and the other one does not?

@smooge So I found two different problems. For one, my /etc/nagios/nagios.cfg had the pid file set to /var/run/nagios.pid but it should now be /var/run/nagios/nagios.pid. Secondly, starting nagios with service nagios start failed with 2 selinux errors:

Sep 28 12:09:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/nagios from write access on the file /tmp/.configtest.LZ74T8iY. For complete SELinux messages. run sealert -l 57464946-0362-40f3-a585-5d79d4b17459 Sep 28 12:09:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/nagios from using the chown capability. For complete SELinux messages. run sealert -l 585086e4-e53d-4a8a-85f8-4af5bf7a852f

So I ran:

grep nagios /var/log/audit/audit.log | audit2allow -M nagios-chown semodule -i nagios-chown.pp

Which solved that problem. But now SELinux is blocking all attempts to query my monitored servers. Log messages look like this:

Sep 28 12:18:21 localhost nagios: Unable to run check for service 'Memory' on host 'xxxxx'

And SELinux audit logs look like this:

type=AVC msg=audit(1506622404.225:6960996): avc: denied { execute_no_trans } for pid=16769 comm="nagios" path="/usr/sbin/nagios" dev=cciss!c0d0p3 ino=1057038 scontext=unconfined_u:system_r:nagios_t:s0 tcontext=system_u:object_r:nagios_exec_t:s0 tclass=file

Any ideas? Strange that now I'm having SELinux errors when I was getting them before.

Thanks

@smooge If I stop nagios and start it manually with the command /usr/sbin/nagios -d /etc/nagios/nagios.cfg rather than starting it with service nagios start, then I don't get the SELinux errors and everything seems to work fine.

OK I found a bug in various things but 4.3.4-4 works on service nagios start/stop without selinux problems.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+1
stable threshold: 3
unstable threshold: -3
Autopush
Enabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago

Related Bugs 25

00 #469320 CVE-2008-4796 snoopy: command execution via shell metacharacters
00 #958002 CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage
00 #958305 CVE-2008-4796 snoopy: command execution via shell metacharacters [epel-6]
00 #994780 CVE-2013-4214 nagios: Nagios core: html/rss-newsfeed.php insecure temporary file usage [epel-6]
00 #1005974 nagios-4.3.2 is available
00 #1036331 [cosmetic] Double slash in Nagios' web interface URL
00 #1046113 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars()
00 #1046333 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars() [fedora-all]
00 #1046335 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars() [epel-6]
00 #1066580 CVE-2014-1878 nagios: possible buffer overflows in cmd.cgi [fedora-all]
00 #1066582 CVE-2014-1878 nagios: possible buffer overflows in cmd.cgi [epel-6]
00 #1074611 Consider using Nagios 4.x branch for EPEL7
00 #1075867 Upgrade to Nagios 4.x
00 #1083003 Nagios SIGSEGV on (internal to nagios) scheduled log rotate if livestatus module is loaded and a downtime is set
00 #1084934 Unable to reload nagios under systemd
00 #1111720 use_embedded_perl_implicitly=1 by default is user-hostile
00 #1121499 CVE-2014-5009 CVE-2014-5008 CVE-2008-7313 nagios: snoopy: incomplete fixes for command execution flaws [fedora-all]
00 #1121500 CVE-2014-5009 CVE-2014-5008 CVE-2008-7313 nagios: snoopy: incomplete fixes for command execution flaws [epel-all]
00 #1189183 Does not handle invalid hostgroup_member correctly
00 #1201462 Update Nagios package to at least -5
00 #1201849 Support an environment file in the systemd unit file
00 #1218320 Install the Nagios checkresults directory with group-writable permissions
00 #1402871 CVE-2016-9566 nagios: Privilege escalation issue [epel-all]
00 #1426816 Nagios RPM 4.2.4 forgot to reload systemd in postinstall
00 #1428111 Broken links in the View Trends and the View Histogram menu

Automated Test Results