Your message dated Sat, 09 Mar 2013 09:04:37 +0000 with message-id <e1uefhl-0000mn...@franck.debian.org> and subject line Bug#701227: fixed in nagios-nrpe 2.13-3 has caused the Debian Bug report #701227, regarding nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 701227: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701227 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: nagios-nrpe Severity: grave Tags: security Hi On bugtraq mailinglist it was reported publicly[1]. If support for command argument in the daemon are enabled then it would be possible to pass $() and possibly executing shell commands when run unter bash. Upstream has released 2.14 containing a patch and disabling bash command substitutions by default: 2.14 - 12/21/2012 ----------------- - Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley) - Patched to shutdown SSL connection completely (Jari Takkala) - Added SRC support on AIX (Thierry Bertaud) - Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley) - Updated logging to support compiling on AIX (Eric Stanley) According to [1], there is CVE-2013-1362 assigned to it. In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. [1]: http://seclists.org/bugtraq/2013/Feb/119 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nagios-nrpe Source-Version: 2.13-3 We believe that the bug you reported is fixed in the latest version of nagios-nrpe, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 701...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alexander Wirt <formo...@debian.org> (supplier of updated nagios-nrpe package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 09 Mar 2013 08:42:05 +0100 Source: nagios-nrpe Binary: nagios-nrpe-server nagios-nrpe-plugin Architecture: source amd64 Version: 2.13-3 Distribution: unstable Urgency: high Maintainer: Debian Nagios Maintainer Group <pkg-nagios-de...@lists.alioth.debian.org> Changed-By: Alexander Wirt <formo...@debian.org> Description: nagios-nrpe-plugin - Nagios Remote Plugin Executor Plugin nagios-nrpe-server - Nagios Remote Plugin Executor Server Closes: 701227 Changes: nagios-nrpe (2.13-3) unstable; urgency=high . * [e55afd1] Add 08_CVE-2013-1362.dpatch patch. If command arguments are enabled in the NRPE configuration, it was possible to pass $() as arguments as the checking for nasty caracters was not strict enough to catch $(). This allowed executing shell commands under a subprocess and pass the output as a parameter to the called script (if run under bash). CVE-2013-1362 (Closes: #701227) Checksums-Sha1: ce797b74315a839d047b9f14e92ec152c7e1664f 1356 nagios-nrpe_2.13-3.dsc 8af5274412281f9bc77c819c1cf8838351804c73 11115 nagios-nrpe_2.13-3.diff.gz 432c0ba3347aa7aa5e948e84310cfd58ef5380c0 41026 nagios-nrpe-server_2.13-3_amd64.deb a07a26e80cb5bd7cd7404d580a3488c487116141 19692 nagios-nrpe-plugin_2.13-3_amd64.deb Checksums-Sha256: b7604c377e9042380be01316394696398a0860fc128d04532c313e3ef2d6a92c 1356 nagios-nrpe_2.13-3.dsc b7bfc6b0d0894bf6660b91292adffc50e28724f905b0df1f59ac561a94a14e4f 11115 nagios-nrpe_2.13-3.diff.gz 501c8eb1c2d8703f49cb997b9eb585cd301d05b249cd288e7ef4919e01643865 41026 nagios-nrpe-server_2.13-3_amd64.deb 6622c8d1bbcb4e7daaedcb9cfd86dd32b69c6a8d046bbf05b34e2b61b1c5fb15 19692 nagios-nrpe-plugin_2.13-3_amd64.deb Files: e23df9385fd97d0150e1f7623928c697 1356 net optional nagios-nrpe_2.13-3.dsc 854eb80d419e8e51d0d7e0b4a14f7be4 11115 net optional nagios-nrpe_2.13-3.diff.gz 545cc2e0a1716e59711fb32f39b39772 41026 net optional nagios-nrpe-server_2.13-3_amd64.deb 768f4a3b8ebc00780ac8f37362ea963f 19692 net optional nagios-nrpe-plugin_2.13-3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlE66yMACgkQ01u8mbx9AgqSTgCgw5DQjTUnaHd2tfAuAJWP71LV fVcAoIX4bz0OgymTdVboLfc5s3gOp/Mb =Rnqy -----END PGP SIGNATURE-----
--- End Message ---
