From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: 01/01: gnu: Add Nagios.
Date: Fri, 30 Dec 2016 14:52:16 -0500
Message-ID: <20161230195216.GA9049@jasmine>
References: <20161130223109.19603.88396@vcs.savannah.gnu.org>
	<20161130223109.CCC082201C1@vcs.savannah.gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32870)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cN3Dz-0003Oe-9R
	for guix-devel@gnu.org; Fri, 30 Dec 2016 14:52:24 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cN3Dv-0003Pk-D0
	for guix-devel@gnu.org; Fri, 30 Dec 2016 14:52:23 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33865)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cN3Dv-0003PH-8v
	for guix-devel@gnu.org; Fri, 30 Dec 2016 14:52:19 -0500
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id D26CC2478B
	for <guix-devel@gnu.org>; Fri, 30 Dec 2016 14:52:17 -0500 (EST)
Content-Disposition: inline
In-Reply-To: <20161130223109.CCC082201C1@vcs.savannah.gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Nov 30, 2016 at 10:31:09PM +0000, Ludovic Court=EF=BF=BDs wrote:
> civodul pushed a commit to branch master
> in repository guix.
>=20
> commit d30e578a0011b05d1e7d8b3ba7ee38588eba301c
> Author: Ludovic Court=C3=A8s <ludo@gnu.org>
> Date:   Wed Nov 30 23:26:57 2016 +0100
>=20
>     gnu: Add Nagios.
>    =20
>     * gnu/packages/monitoring.scm: New file.
>     * gnu/local.mk (GNU_SYSTEM_MODULES): Add it.

> +    (version "4.0.8")
> +    ;; XXX: Newer versions such as 4.2.3 bundle a copy of AngularJS.

This version of Nagios includes some severe security vulnerabilities:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9565

They allow remote attackers to read and write arbitrary files (leading
to remote code execution) or to escalate privilege to the superuser.

What should we do?

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhmuvAACgkQJkb6MLrK
fwjXuhAAqHRcteKMfAEQQv3uWJuGSUn93GrZyUb4cU0y127h61Y6lk0PsVUzx+pJ
bz0Wd/eGRtUKx3/qww/Us4P/Zh8Z/44uoQSpafOnOcwyj0RamwzwlittOA0VYAHx
kZeDTK0RZKenIRGbFI3kgr3Mwi1N8pb86PA2RlxwNqyZwyDcs4xuEZyZd14U8HXq
LmTml3VhQWZmBMJBZXGVJK860mQ/rL/HwroP9u8Jo49Z/gaOSC61k9UkT7Kc5Dyd
xcwYb/L4Uz5OVRzjx9eIbi/nxZoqQj5vA7o5KDom9q8qRqHzwy4KSLlu3r4kgIyd
x5fDBasLQLa8LxWyFtzb2hHlNEpu8Br/BLS+Bbix2ti+TKbHVFnB4IneCRAVkYcu
5xoc8rtAlATaWTAxnrgowHvaoTkE0CsU1bIbWqv9eMhWeYrEKDowi/XSa9prsIYV
qsVV/sMof8/8eJtR9Dzrw22W0Bz5H/2TxMyE6sfKnnYj+bnt5d17hTH8UO51feJ8
b1QD37/v8XUvqYb7UloFp7J7d5excuMcmEJiaUPtizAqyaCZHjo3VhHyQJWl8sbq
SGsRU6deH4GupL8zYLUJHXon5Y6qP7YgAr4pjL0FEu5pbmm/A1Q9ts3MSomDwobr
ue2koadLpe2nfRAO0D90rCYiO6z2UoQU63Hd/QCw9B6ZeurtOlw=
=XgES
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--