Several companies I work with will email us when security vulnerabilities are patched in a new version.
Does Nagios have this for NCPA, Nagios XI or any of the other products?
Notifications of security fixes
Re: Notifications of security fixes
If you sign up for the Nagios newsletter it says it contains security announcements.
Otherwise, our security disclosures are put on this page: https://www.nagios.com/products/security/
Every CVE we file goes into the NIST.gov database. They maintain data feeds that you can consume: https://nvd.nist.gov/vuln/data-feeds
(You may even set up a Nagios server to monitor https://www.nagios.com/products/security/ for changes.)
Otherwise, our security disclosures are put on this page: https://www.nagios.com/products/security/
Every CVE we file goes into the NIST.gov database. They maintain data feeds that you can consume: https://nvd.nist.gov/vuln/data-feeds
(You may even set up a Nagios server to monitor https://www.nagios.com/products/security/ for changes.)
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Notifications of security fixes
I noticed this security page does not list anything about the NCPA agent or Nagios Fusion. How would we find out information about either of these?
Re: Notifications of security fixes
If there were any, they'd show up there.
There are CVEs for Fusion that we'll link to for next release, but they're not public yet.
There are CVEs for Fusion that we'll link to for next release, but they're not public yet.
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Notifications of security fixes
So, I see an NCPA agent fix was released yesterday, including a CVE fix. However, it isn't on the https://www.nagios.com/products/security/.
Do you happen to know why this would not be listed?
My upper management is on me at this time about making sure we keep the products up to date because of the recent hacks in the news, so a lack of notifications about this type of fix is really not great at this time.
Do you happen to know why this would not be listed?
My upper management is on me at this time about making sure we keep the products up to date because of the recent hacks in the news, so a lack of notifications about this type of fix is really not great at this time.
Re: Notifications of security fixes
The reason that CVE-2019-8331 wasn't disclosed on https://www.nagios.com/products/security/ is because that's only for CVE's in Nagios products. That CVE is in the Twitter Bootstrap JavaScript library.
If we had discovered that an attacker could exploit this XSS hole by specially crafting a POST or a URL to one of our products, I'm sure we'd have filed a separate CVE for it. We didn't end up doing that, probably because the XSS hole wasn't exploitable, or we sanitize the data before sending it to JavaScript, or we don't call that particular vulnerable piece of code.
As far as vulnerabilities go, XSS is usually a pretty minor one. Chrome actually detects and blocks XSS attempts by stopping JavaScript from running if it sees it in the request body. Nagios XI already protects against outside XSS attacks coming in by requiring CSRF tokens when interacting with the Nagios XI web interface.
If we had discovered that an attacker could exploit this XSS hole by specially crafting a POST or a URL to one of our products, I'm sure we'd have filed a separate CVE for it. We didn't end up doing that, probably because the XSS hole wasn't exploitable, or we sanitize the data before sending it to JavaScript, or we don't call that particular vulnerable piece of code.
As far as vulnerabilities go, XSS is usually a pretty minor one. Chrome actually detects and blocks XSS attempts by stopping JavaScript from running if it sees it in the request body. Nagios XI already protects against outside XSS attacks coming in by requiring CSRF tokens when interacting with the Nagios XI web interface.
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.