#1136340 nagios4: CSRF vulnerability fixed upstream, unfixed in Debian

Package:
nagios4
Source:
nagios4
Description:
host/service/network monitoring and management system
Submitter:
Oskar Zeino-Mahmalat
Date:
2026-05-29 23:09:01 UTC
Severity:
normal
Tags:
#1136340#5
Date:
2026-05-12 00:00:01 UTC
From:
To:
Dear Maintainer,

the Nagios Core project recently patched a security vulnerability in its most recent version 4.5.12, published on 2026-03-25. The fixed vulnerability is a CSRF issue in the command CGI handler.

The issue does not (yet?) have a CVE, which is probably why this go unnoticed. Please prepare a new version with the upstream fix, thanks!

Fix commit: https://github.com/NagiosEnterprises/nagioscore/commit/e5ed38e53a5d65721520c7c67be0746d63da28cb
Additional relevant commits that add a config option to get the old, insecure behavior back: https://github.com/NagiosEnterprises/nagioscore/pull/1055
Changelog mentioning the fix of the vulnerability: https://github.com/NagiosEnterprises/nagioscore/blob/nagios-4.5.12/Changelog
Public disclosure, unfortunately no CVE: https://www.nagios.com/security-disclosures/nagios-core/4-5-12/
#1136340#12
Date:
2026-05-22 11:39:42 UTC
From:
To:
Attached is a debdiff update for nagios4 in trixie addressing the
CSRF vulnerability in cmd.cgi reported in #1136340.  No CVE has been
assigned upstream.

     Package: nagios4
     Version: 4.4.6-4.1+deb13u1
     Target distribution: trixie-security
     Closes: #1136340
     Upstream fix:
https://github.com/NagiosEnterprises/nagioscore/commit/e5ed38e
     Upstream disclosure:
https://www.nagios.com/security-disclosures/nagios-core/4-5-12/

This could break some installations, so I've also backported
upstream PR #1055, which adds a `cgi_cookie_fail_open` cgi.cfg
option (default 0 = secure) so there is a documented escape hatch,
and added a section to README.Debian explaining this.

Build-tested in pbuilder against trixie.

The debian source package is available here:
https://www.stuart.id.au/russell/private/nagios4_4.4.6-4.1.tar

Let me know what you would like me to do next.
#1136340#17
Date:
2026-05-24 21:45:30 UTC
From:
To:
Hi Russell,

The diff looks fine, we can fix this is a DSA, can you please build
this with -sa and upload to security-master? (ftp.d.o and security.d.o
don't share tarballs). Did you have a chance to test this?

Bookworm is also still supported for one more month, but both seem
to use 4.4.6, so can you also prepare the same diff as 4.4.6-4+deb12u1
and also upload to security-master?

Cheers,
        Moritz
#1136340#28
Date:
2026-05-26 09:02:11 UTC
From:
To:
Done.

Yes.  I tested both the fix and the override.  But on bookworm only as
that is what I have on my laptop.

Done.
#1136340#33
Date:
2026-05-29 17:34:45 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
nagios4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1136340@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russell Stuart <russell-debian@stuart.id.au> (supplier of updated nagios4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 22 May 2026 20:45:00 +1000
Source: nagios4
Architecture: source
Version: 4.4.6-4.1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Russell Stuart <russell-debian@stuart.id.au>
Changed-By: Russell Stuart <russell-debian@stuart.id.au>
Closes: 1136340
Changes:
 nagios4 (4.4.6-4.1+deb13u1) trixie-security; urgency=high
 .
   * CSRF Security Fix backported from upstream 4.5.12 commit
     e5ed38e53a5d65721520c7c67be0746d63da28cb (cgi/cmd.c and
     html/index.php.in).  See
https://www.nagios.com/security-disclosures/nagios-core/4-5-12/
     for the upstream disclosure.  No CVE assigned.
     Closes: #1136340.
   * This can break third party integrations that POST to cmd.cgi
     without first setting NagFormId (the CSRF check fails).  Upstream
     PR 1055 has been added as a workaround - see README.Debian.
Checksums-Sha1:
 c1b0108e69cff0d74ec64af26cf84146f7b9fe86 2018 nagios4_4.4.6-4.1+deb13u1.dsc
 d52e26d6a17ac70f01d87e9329b20436fff1f1a7 11333414 nagios4_4.4.6.orig.tar.gz
 b48adcbd2f63d199eb03d769be2fcc76c520213b 1096708 nagios4_4.4.6-4.1+deb13u1.debian.tar.xz
 5626a8986527b8e1d94a08a61987bee654b28911 10635 nagios4_4.4.6-4.1+deb13u1_amd64.buildinfo
Checksums-Sha256:
 e9b37737e230d4d71f690f810240a7752de5eb66db7416222f34926160f6a3a1 2018 nagios4_4.4.6-4.1+deb13u1.dsc
 ab0d5a52caf01e6f4dcd84252c4eb5df5a24f90bb7f951f03875eef54f5ab0f4 11333414 nagios4_4.4.6.orig.tar.gz
 34bfaed31da2010210c6075b232451aa07458b6294fb905a079c5fa99fa5f7b6 1096708 nagios4_4.4.6-4.1+deb13u1.debian.tar.xz
 edc077506bca75988db36833bd62e6d5c0f358a3b181fb2cf44b41a0dc2bac1d 10635 nagios4_4.4.6-4.1+deb13u1_amd64.buildinfo
Files:
 e9d8e9afb09efd1116aa5a613ad07396 2018 net optional nagios4_4.4.6-4.1+deb13u1.dsc
 ba849e9487e13859381eb117127bfee2 11333414 net optional nagios4_4.4.6.orig.tar.gz
 1d767764d53785148606dd5681c2a373 1096708 net optional nagios4_4.4.6-4.1+deb13u1.debian.tar.xz
 c6ce2ed927b777105d506936d316b690 10635 net optional nagios4_4.4.6-4.1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZqiOeH6lCkTWvjmorNSfiF5UUm4FAmoVYEQACgkQrNSfiF5U
Um5zPRAAjNdjRjx+M27EQojMLBBsyoogUzIMH6qE/nfY63ytGbTjfgpPVFLLg5Cg
da2gB8j5glqGAy2s7y748VOxZ+LcY4es3TY/B/QGoXVLnMWhzx4LYvLFS0EBFHw4
cbeY0J7rVhp6tqdQakz6khjHlMamuz1d6pJJD8IHuWFuY8SLjRpWL/2s4TutvLun
S6Ig5mEnnmQLr7/4mwflEBZ1NaII0ULTMHTOQCV1nEPmljTffQ73vq1D5x9hCDTU
nlMrlpcmIQq3VnliEd3V17DsdJQGuWYtjZdlLxXaYHQFYMGUktUThW3vtCzQ54hl
TmP4RTlMJNQZAQAgETXLnnGuWpX8GpRHnvzqoUGyKzWZaG/n8syAnW6n2us4jzRf
PA68h2Q4ZN88WCvRsbnxiCKWBeMNbZ45zJ/gC4ue3tM9ywuuVTSLel4OaXFmxg8j
EVu3MB6Y8HOXneLiw6V1lfP0BVWgqKcWkalR63xtNYNMnmGDf3157qkEQc+x+6d3
vwLOQWeaKfqc1RmxeyT35yI17HsMgvClizGCajQRHHYh3meUPAUaAAK/IoXMDk6C
KhzRVaR5tVc2JwugPZGCRcnuskvMePuWTVwoTJeixv8kcEF1TW9UjU5yVr6EaIRZ
kCOINOMbHQUo7i9j8P8dVnXYsxA/U3xLR2i0H185xkESN88aSqI=
=iL4z
-----END PGP SIGNATURE-----
#1136340#38
Date:
2026-05-29 23:07:09 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
nagios4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1136340@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russell Stuart <russell-debian@stuart.id.au> (supplier of updated nagios4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 22 May 2026 21:00:00 +1000
Source: nagios4
Architecture: source
Version: 4.4.6-4+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Russell Stuart <russell-debian@stuart.id.au>
Changed-By: Russell Stuart <russell-debian@stuart.id.au>
Closes: 1136340
Changes:
 nagios4 (4.4.6-4+deb12u1) bookworm-security; urgency=high
 .
   * CSRF Security Fix backported from upstream 4.5.12 commit
     e5ed38e53a5d65721520c7c67be0746d63da28cb (cgi/cmd.c and
     html/index.php.in).  See
https://www.nagios.com/security-disclosures/nagios-core/4-5-12/
     for the upstream disclosure.  No CVE assigned.
     Closes: #1136340.
   * This can break third party integrations that POST to cmd.cgi
     without first setting NagFormId (the CSRF check fails).  Upstream
     PR 1055 has been added as a workaround - see README.Debian.
Checksums-Sha1:
 5564b9896f087be1eabedaf15492a17ce925b500 2010 nagios4_4.4.6-4+deb12u1.dsc
 d52e26d6a17ac70f01d87e9329b20436fff1f1a7 11333414 nagios4_4.4.6.orig.tar.gz
 e151e480a654e4018a8ba87361d18811d9f98e5f 1096632 nagios4_4.4.6-4+deb12u1.debian.tar.xz
 cfef5bfb261353ace6a9bcd0d830a597cafff506 11148 nagios4_4.4.6-4+deb12u1_amd64.buildinfo
Checksums-Sha256:
 dce92264fe10671398116fca79bd1c7caf62a4f9afa1e9df7c8738d92507218e 2010 nagios4_4.4.6-4+deb12u1.dsc
 ab0d5a52caf01e6f4dcd84252c4eb5df5a24f90bb7f951f03875eef54f5ab0f4 11333414 nagios4_4.4.6.orig.tar.gz
 f195d76a7044a1d75a19eb24279eab543428f6e760c015573e27fb13fc079d1d 1096632 nagios4_4.4.6-4+deb12u1.debian.tar.xz
 7fe8e196836c2465e84ab33b50f2e7dd623141740f8837228237d63a0d45724f 11148 nagios4_4.4.6-4+deb12u1_amd64.buildinfo
Files:
 13fe88ad08520bfef307a9bd8bbfb855 2010 net optional nagios4_4.4.6-4+deb12u1.dsc
 ba849e9487e13859381eb117127bfee2 11333414 net optional nagios4_4.4.6.orig.tar.gz
 a9509b8b0b989a2ae5bbf8d5b0c3badf 1096632 net optional nagios4_4.4.6-4+deb12u1.debian.tar.xz
 93e15cdeb0ec21ff558848fddb6538e9 11148 net optional nagios4_4.4.6-4+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZqiOeH6lCkTWvjmorNSfiF5UUm4FAmoVXvgACgkQrNSfiF5U
Um6AAxAAwKI+/LRYFxSb31GVmKygwyUBNGnb4Pl5CHJ/9HBMORqsZBx1u5jBzNwO
TRWeq0Ub6FdvtK5r3OD1nUspudtnKc2itti7DYpAgUFHHKQ75G86pEUgBe2+QRie
XYRPeiquPvELiiO5nUcyToH/ZD3wkbwO7+fN2B6PS3jgSLeawJ3a35ukX+VJmkZJ
4D6czX0kVcxs8X1kBZnLS0uT8kxp/p0be5qyD9KnDckruyB77FYjRu7ylVkx+uUj
Mp4WGiLmi2jRg9UtF2HQl1R59l4rlPT1BO4M/P37Np+tl5rWWFSFN+bjzLRbtSGn
+iMZqswcfwsygsYS/0jQTbHO2/sm86xi6m2VI403vJNmBKF18j7wltrYSiBXxQT/
IMAOZxVurjhxtsAG/uqM5jaQ0MDqVQsurn1QaU+RhuyvlaXyICdD5k3T4Pql/+PV
U1RNI7DiNfO59aqfgFeXs+KdeSHHj6CpgHTlhVUVU9Usc+Vk7F13y9twYBW13vwf
/b7FDZ1PpMGmlkaPsicPYiZt83rKc0BoTLVuatPeUvkVqdTu00wbGPSAZ5fKHJsF
TGXd+mumA8EU70BQm8rLFNRA4UMdBbAhM20km3OgirlCS4e7edZRn325vnr4jZim
0uMjGAyaDUJ5XzmY1ixyszll0/3qA2nCsYW3NWJVz5Zslty6PRM=
=XrKS
-----END PGP SIGNATURE-----