=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN181
_____________________________________________________________________

DATE                      : 26/05/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Nagios.

======================================================================
http://article.gmane.org/gmane.network.nagios.announce/64
______________________________________________________________________

From: Ethan Galstad <nagios <at> nagios.org>
Subject: Nagios 3.0.2 and 2.12 Released
Newsgroups: gmane.network.nagios.announce
Date: 2008-05-21 17:22:59 GMT (4 days, 21 hours and 45 minutes ago)

New versions of Nagios 2.x and 3.x have been released and can be
downloaded from:

	http://www.nagios.org/download

Nagios 3.0.2 and 2.12 contain a fix for a potential XSS vulnerability in
the CGIs.  Nagios 3.0.2 also contains a number of fixes for bugs present
in the 3.0.1 release.

Changelogs for both releases are below...

3.0.2 - 05/19/2008
------------------
* Minor bug fixes in CGIs to ensure extra host/servicegroup url strings
are terminated properly
* Minor bug fix in navigation frame link for unhandled service problems
* Better error logging during fork() errors
* Embedded Perl is now disabled by default
* Fixed bug in parsing host dependencies
* Added note to Makefile about 'make install-webconf' option
* Fixed bug in config CGI where active host check attributes were not
displayed properly
* Fixed bug in status CGI where sounds were not played for passive
service problems
* Fixed sample script for distributed monitoring
* Updated p1.pl to allow for 4KB lines in Perl plugin output under epn
* Fixed bug in command for disabling contact notifications
* Fix for bugs in host and service orphan check logic
* Fix for 'make install' functionality for contrib directory
* Fix for host problem links in CGI status summary view
* Fix for properly escaping macros containing URLs
* Patches for possible XSS vulnerability in CGIs (CVE-2007-5803) -
Florian Weimer & SUSE Linux team

2.12 - 05/19/2008
-----------------
* Minor bug fixes in CGIs to ensure extra host/servicegroup url strings
are terminated properly
* Patches for possible XSS vulnerability in CGIs (CVE-2007-5803) -
Florian Weimer & SUSE Linux team

- Ethan Galstad

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================