The Nagios Plugins Development Team is proud to announce that nagios-plugins 2.0.2 has been released and is available for download (http://nagios-plugins.org/downloads/).
This release was prompted a bit earlier than originally expected by a newly discovered security vulnerability reported by Dawid Golunski on exploit-db (http://www.exploit-db.com/exploits/33387/). It concerned an arbitrary file access vulnerability with the SUID binaries (check_icmp,
check_dhcp) and the extra-opts configure flag (which is enabled by default). Fixes were applied globally, so the new restrictions on fopen should apply to all plugins.
Additionally, a few plugins were updated to successfully build on windows under cygwin, and some small changes were made to plugin output and verbosity.
A full list of included enhancements and fixes are listed below:
Fixed file access vulnerability with SUID binaries (check_icmp,
check_dhcp) and extra-opts. Fixes were applied globally, so the new resrictions on fopen should apply to all plugins. Special thanks to Dawid Golunski for the submission. More information:
http://www.exploit-db.com/exploits/33387/ (sreinhardt) (emislivec)
check_disk – Now compiles in cygwin on windows (Gunnar Beutner) check_ping – Now compiles in cygwin on windows (Gunnar Beutner) check_users – Now compiles in cygwin on windows (Gunnar Beutner) netutils.c – Connection error verbosity increased. C plugins will now differentiate file socket errors from connection errors (Davide
check_nt.c – Changed ‘Mb’ to ‘MB’ in MEMUSE output for clarity (abrist)
Nagios Plugins Development Team Lead
Technical Support Team
Nagios-announce mailing list