Salvatore Bonaccorso schrieb am Sunday, den 03. March 2013: > Control: tags -1 + patch > > Hi Alex > > On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote: > > On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: > > > > > On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: > > > > In the debian package we have explicitly --enable-command-args so the > > > > Debian packages looks affected. > > > > > > But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be > > > added to the above. > > Yeah we disable that feature by default and add some big warnings to the > > documentation. Nobody ever thought that command-args via nrpe are secure. > > How about dissalowing $() completly if command arguments in case are > enabled? I tried to extract the relevant part, see attached debdiff. > But it's not yet tested. In fact it looks like the patch on my disk :). I am sorry for not handling this earlier, but our new bathroom took my whole spare time in the last weeks.
It should be better this week. Alex -- Alexander Wirt, formo...@formorer.de CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
