CVE-2017-16882

NameCVE-2017-16882
DescriptionIcinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account, a related issue to CVE-2017-14312. This also affects bin/icingastats, bin/ido2db, and bin/log2ido.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icinga (PTS)jessie1.11.6-1fixed
stretch1.13.4-2fixed
buster1.14.2+ds-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icingasource(unstable)(not affected)

Notes

- icinga <not-affected> (Doesn't affect Icinga 1.x as packaged in Debian)
https://github.com/Icinga/icinga-core/issues/1601
State is not fully correct, since "affected" source would be there,
But Debian does not install the binaries nor configuration files as
respective icinga user.

Search for package or bug name: Reporting problems