| Summary: | nrpe new security issues CVE-2020-6581 and CVE-2020-6582 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | nrpe-3.2.1-3.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-04-14 22:39:13 CEST
David Walser
2020-04-14 22:39:33 CEST
Status comment:
(none) =>
Fixed upstream in 4.0.0 References: https://herolab.usd.de/security-advisories/usd-2020-0001/ https://github.com/NagiosEnterprises/nrpe/commit/b84f9b8c9d290dd02e139df8dad1c3eb690c1213 https://github.com/NagiosEnterprises/nrpe/commit/8e3bea4e1b1937e395a182729762aa8894e8649e https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 pushed on mageia 7 updates_testing: nrpe-3.2.1-3.2.mga7 Assignee:
guillomovitch =>
qa-bugs Advisory: ======================== Updated nrpe packages fix security vulnerabilities: Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection (CVE-2020-6581). Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call (CVE-2020-6582). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6581 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6582 https://herolab.usd.de/security-advisories/usd-2020-0001/ https://herolab.usd.de/security-advisories/usd-2020-0002/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HL6LSLRKKPUIY2PIWFGZ7QMM7FKARMR/ ======================== Updated packages in core/updates_testing: ======================== nrpe-3.2.1-3.2.mga7 nagios-check_nrpe-3.2.1-3.2.mga7 from nrpe-3.2.1-3.2.mga7.src.rpm Status comment:
Fixed upstream in 4.0.0 =>
(none) MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 13306 for testing # systemctl -l status nrpe ● nrpe.service - Nagios Remote Plugin Executor Loaded: loaded (/usr/lib/systemd/system/nrpe.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: http://www.nagios.org/documentation [root@mach5 ~]# systemctl start nrpe [root@mach5 ~]# systemctl -l status nrpe ● nrpe.service - Nagios Remote Plugin Executor Loaded: loaded (/usr/lib/systemd/system/nrpe.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-05-29 15:36:52 CEST; 4s ago Docs: http://www.nagios.org/documentation Main PID: 14804 (nrpe) Tasks: 1 (limit: 4915) Memory: 576.0K CGroup: /system.slice/nrpe.service └─14804 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f May 29 15:36:52 mach5.hviaene.thuis systemd[1]: Started Nagios Remote Plugin Executor. May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Starting up daemon May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Server listening on 0.0.0.0 port 5666. May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Server listening on :: port 5666. May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Listening for connections on port 5666 May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Allowing connections from: 127.0.0.1,::1 [root@mach5 ~]# netstat -pant | grep nrpe tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 14804/nrpe tcp6 0 0 :::5666 :::* LISTEN 14804/nrpe # /usr/lib64/nagios/plugins/check_nrpe -H localhost NRPE v3.2.1 All OK. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Nicolas Lécureuil
2020-06-10 23:36:11 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0247.html Resolution:
(none) =>
FIXED |