Debian alert DLA-4233-1 (nagvis) [LWN.net]


From:
               Daniel Leidert <dleidert@debian.org>
To:
               debian-lts-announce@lists.debian.org
Subject:
               [SECURITY] [DLA 4233-1] nagvis security update
Date:
               Sat, 28 Jun 2025 18:17:27 +0200
Message-ID:
               <6dd566475d9e4565bb9df2e5daa0936b9f58a160.camel@debian.org>
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4233-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Daniel Leidert
June 28, 2025                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : nagvis
Version        : 1:1.9.25-2+deb11u2
CVE ID         : CVE-2024-38866 CVE-2024-47090
Debian Bug     : 1106686

Multiple vulnerabilities were discovered in nagvis, a visualization
addon for Nagios or Icinga. 

CVE-2024-38866

    A livestatus injection via dynmaps is possible.

CVE-2024-47090

    A potential XSS exists via the WYSIWYG editor.

For Debian 11 bullseye, these problems have been fixed in version
1:1.9.25-2+deb11u2.

We recommend that you upgrade your nagvis packages.

For the detailed security status of nagvis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nagvis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmhgFZcACgkQS80FZ8KW
0F1zkg//Q7nmn8pVAsHqB8Nx3Y3cbbx64c6rLSHYDjVbiPaIb73X63FlpaDtn0Ug
Y3OgexUdOTCxpczLhxi4fj58mHQK5tzsORsvqD2ARXYzlN4czMLBpq/R8wc75hY+
IVCLAiKYB7QTtK62K8DhSvrZVre6esRS2qT5PjPiIP2DuvPxTdofmbLw3C70ldtz
F3Rwvz2XbHotcaxIfjpVlX0rXENihJg/jhBgw0M4DMaeJBAtEfzAGuqTjq/9IHmI
ZEoI1+ExsAL9VBcbJ81v0ydSKgSyvH3e+QwB5KLnFDMV/5IkyKtcYUzEsOZAKs33
R/UO8KJBkn75FtJ5+/5oOGk5hKiEnZVtGW0xjepTUAYEXdwxzhc2Fi3fJJ+q+VJ5
MVpXYiLp+eHyuxlLDiP4GBgCz2Ce8OcqhNnxU1tHN+DA3J4MlUr7lqUZ+i2JjYGg
JHk581Tn40I9T007RR+XJobRibq6N9brJQM2BkyuCrBFfVIc4KQYDbgQD9ZQ9r9Y
cy0Jvo9hE/1VkWlkoiH2M2glle61D6BwmpEt8YMdMQFkHMSoGSPG+IoojjSlejtx
NuxtSuPju+o3qKjEk5Rm2R7CAhnvx5bVqujl5oCG2mjQqQ9oThIid5kMVRkjuBxn
GHnCHlNXqJAlq+PREXkNgg1SGn15xMt9H0qR/LQuFqVJ1No6t+U=
=sTaa
-----END PGP SIGNATURE-----

From:		Daniel Leidert <dleidert@debian.org>
To:		debian-lts-announce@lists.debian.org
Subject:		[SECURITY] [DLA 4233-1] nagvis security update
Date:		Sat, 28 Jun 2025 18:17:27 +0200
Message-ID:		<6dd566475d9e4565bb9df2e5daa0936b9f58a160.camel@debian.org>