Leo Famulari <l...@famulari.name> skribis: > On Wed, Nov 30, 2016 at 10:31:09PM +0000, Ludovic Court�s wrote: >> civodul pushed a commit to branch master >> in repository guix. >> >> commit d30e578a0011b05d1e7d8b3ba7ee38588eba301c >> Author: Ludovic Courtès <l...@gnu.org> >> Date: Wed Nov 30 23:26:57 2016 +0100 >> >> gnu: Add Nagios. >> >> * gnu/packages/monitoring.scm: New file. >> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. > >> + (version "4.0.8") >> + ;; XXX: Newer versions such as 4.2.3 bundle a copy of AngularJS. > > This version of Nagios includes some severe security vulnerabilities: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9565 > > They allow remote attackers to read and write arbitrary files (leading > to remote code execution) or to escalate privilege to the superuser. > > What should we do?
We should upgrade, even if that means bundling AngularJS (there’s no other way :-/). I’ll look into it ASAP. Thanks for the reminder! Ludo’.
