[Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 23 07:33:20 UTC 2013
Package: nagios-nrpe
Severity: grave
Tags: security
Hi
On bugtraq mailinglist it was reported publicly[1]. If support for
command argument in the daemon are enabled then it would be possible
to pass $() and possibly executing shell commands when run unter bash.
Upstream has released 2.14 containing a patch and disabling bash
command substitutions by default:
2.14 - 12/21/2012
-----------------
- Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
- Patched to shutdown SSL connection completely (Jari Takkala)
- Added SRC support on AIX (Thierry Bertaud)
- Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)
- Updated logging to support compiling on AIX (Eric Stanley)
According to [1], there is CVE-2013-1362 assigned to it.
In the debian package we have explicitly --enable-command-args so the
Debian packages looks affected.
[1]: http://seclists.org/bugtraq/2013/Feb/119
Regards,
Salvatore
More information about the Pkg-nagios-devel
mailing list