Nagios Support Forum

Hello. My team has been using Nagios open source solutions for a few months and now we'd like to put in place a process to refresh versions and make sure we don't have any security exposures in our systems.
Apologies if this has been asked in the past - I tried to do a quick search thru this forum and haven't seen much about this subject discussed recently.

My question is if the open source solutions from Nagios - namely the ones we're using - Nagios Core, Plugins and NRPE - have some sort of control and a process in place for the community to detect and fix security exposures in it's code. I do understand there's many dependencies to other open source packages, but I assume these are tracked in the dependent packages/communities themselves. But what about things that might impact the Nagios code itself? Is there someone that makes sure CVEs are published for it?

I did find these in the CVE database:
https://www.cvedetails.com/vulnerabilit ... agios.html

However the last entry there is about 1 year old. So, my question is - is this something is is re-evaluated frequently by the Nagios Core/Plugins/NRPE contributors, and is that list of CVEs up to date?

I'd appreciate any insight into this question. Thanks.

Being an open-source project we accept contributions from the community, and our open-source code is hosted on Github:

https://github.com/NagiosEnterprises

However we don't typically patrol the CVEs or mailing lists. When things are brought to our attention I am usually the one who takes a first look before passing it off to the correct developer, making sure the vuln has been reported.

tmcdonald wrote:When things are brought to our attention

Thanks for the reply. If we see a vulnerability (not yet handled) that we think might impact Core and its not something simple that we can fix or suggest the fix ourselves what's the best way to bring it to the community's attention? Posting to this forum?

If you think you see something, we would really prefer if it's posted on GitHub as an issue. If it's not getting any attention there, post here. If it's posted on GitHub, the developers are more likely to see it than on the forums.