Nagios Support Forum

Hi Team,

We are informed about security vulnerabilities related to mysql and httpd on Nagios XI system . So just wanted to find out if we can upgrade manually mysql & httpd or does this affect preinstalled mysql/httpd that comes bundled and break Nagios XI ?

Also what version of mysql & httpd gets deployed as part of latest XI available incase i upgrade the platform ? Is this published anywhere in version log or something ?

--Vamsi

The versions of the packages are determined by the versions distributed with the version of the OS.

For Oracle Linux 8 and if i get xi-2026R1.3 ?

I don't know what you're asking.
The nagios website has a list of supported linux distros and versions.

Im not new to Nagios and i have gone through website and also changelog https://www.nagios.com/changelog/nagios-xi/ and i couldnt find what im looking for.

Basically what im asking is

1.what versions of mysql and httpd/openssl gets deployed as part of latest Nagios XI ?
2.if we upgrade mysql/openssl directly will it impact or break due to any compatibility ?

I need this info to identify how to handle security vulnerabilities detected with some of these versions.

You have it backwards. Nagios doesn't determine the version of software packages, the OS distro and version does.
I'm not sure why this is confusing.
If you have issues with security problems talk to Oracle.

Are you from Nagios Support Team or Individual Forum Contributor ?

You mean to say : mysqld and httpd/openssl are not packaged in Nagios XI installer and they are dependent on OS Distro ?

Is easy to blame each other . If i contact Oracle they point to Nagios and Nagios is asking goto Oracle

In Nagios XI, MySQL, httpd, and OpenSSL are not bundled or version-controlled by Nagios itself—they come from the underlying OS (e.g., Oracle Linux). So the versions depend entirely on your OS repositories, not the XI release.

You can update them via the OS, but major version upgrades (not patches) may break compatibility. Safe approach: apply OS security updates only, avoid manual major upgrades unless tested.

Perfect. Thanks alot for clear message and exactly the info im looking for.

I will check with my Patching Team and check on next steps.

Also, in many cases, Red Hat backports security patches to packages to support older OS packages, though I'm not sure what Oracle does there. This issue frequently comes up. Part of the problem is that the security tool only reports a vulnerability based on the package version, and not whether the actual package on the system has received a backported patch or not.