[Pkg-nagios-devel] Bug#701227: Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
formorer at debian.org
Sat Feb 23 12:19:14 UTC 2013
On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
> On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote:
> > In the debian package we have explicitly --enable-command-args so the
> > Debian packages looks affected.
> But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be
> added to the above.
Yeah we disable that feature by default and add some big warnings to the
documentation. Nobody ever thought that command-args via nrpe are secure.
More information about the Pkg-nagios-devel