Security Information

2013-07-11: Update check security bug

Nagstamon prior to version 0.9.10 has a grave security hole built in.

The automatic request to http://nagstamon.sourceforge.net/latest_version_ to get update information contained the username and password of one of your monitor servers.  Yes, username and password - in plain base64 text format in the HTTP Basic Auth header.

This is fixed now and the update information is retrieved via HTTPS from https://nagstamon.ifw-dresden.de/files-nagstamon/latest_version_ without any user credentials.

It can be fixed by installing version 0.9.10 or avoided by disabling automatic update checks. An additional measure should be changing the formerly used password.

We are sorry for any trouble this bug might cause.