Security issue

Andreas Ericsson ae at op5.se
Thu Nov 6 16:48:47 CET 2008


Jim Perrin wrote:
> On Thu, Nov 6, 2008 at 6:45 AM, Andreas Ericsson <ae at op5.se> wrote:
> 
>> Hope that clears things up a bit.
> 
> Thanks for the rather thorough layman's explanation of this. Is there
> an estimate for when these fixes will be rolled into the stable tree
> for nagios?
> 

In-form session token support was completed about five minutes ago. I'm
doing some basic testing right now and will push this to my git repo at
git://git.op5.org (as 'csrf' branch). It's done as a single patch right
now, mainly because I didn't think it would be worth it to split it into
different parts for the sha1 code, the session library and the changes
to cmd.c (about 10 lines), but also because I've really stressed this
one.

I'm hoping Ethan will have picked it up by tomorrow. I'll send an
announce and put up a nagios-3.0.5p1 or something for download unless
Ethan's done with that by the time I leave the office tomorrow (around
17:00 GMT+1). Note that it won't be official until Ethan hits the big
release-bell and puts it up at nagios.org, but with some decent testing
beforehand, I'm sure he'll be a lot more trigger-happy ;-)

Also note that the part of the issue that was a lot easier to fix than
this one is already in 3.0.5, just like Hendrik said.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/




More information about the Developers mailing list