[Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
carnil at debian.org
Sat Feb 23 07:33:20 UTC 2013
On bugtraq mailinglist it was reported publicly. If support for
command argument in the daemon are enabled then it would be possible
to pass $() and possibly executing shell commands when run unter bash.
Upstream has released 2.14 containing a patch and disabling bash
command substitutions by default:
2.14 - 12/21/2012
- Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
- Patched to shutdown SSL connection completely (Jari Takkala)
- Added SRC support on AIX (Thierry Bertaud)
- Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)
- Updated logging to support compiling on AIX (Eric Stanley)
According to , there is CVE-2013-1362 assigned to it.
In the debian package we have explicitly --enable-command-args so the
Debian packages looks affected.
More information about the Pkg-nagios-devel