OpenSuSE has issued an advisory today (May 2): http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => guillomovitch, luis.daniel.lucioWhiteboard: (none) => MGA4TOO, MGA3TOO
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Note that I used the patch indicated in the Novell bug that mitigates the issue: https://bugzilla.novell.com/show_bug.cgi?id=874743 not the one used in the OpenSuSE updates that just documents the issue. NRPE 2.16 will probably follow the documentation approach, it sounds like. Advisory: ======================== Updated nrpe packages fix security vulnerability: A remote, command execution flaw was discovered in Nagios NRPE when command arguments are enabled. A remote attacker could use this flaw to execute arbitrary commands (CVE-2014-2913). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913 http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html ======================== Updated packages in core/updates_testing: ======================== nrpe-2.14-1.2.mga3 nagios-check_nrpe-2.14-1.2.mga3 nrpe-2.15-2.1.mga4 nagios-check_nrpe-2.15-2.1.mga4 from SRPMS: nrpe-2.14-1.2.mga3.src.rpm nrpe-2.15-2.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing complete mga4 64 Some testing info in bug 9615 comment 6 # service nrpe start Redirecting to /bin/systemctl start nrpe.service # service nrpe status Redirecting to /bin/systemctl status nrpe.service nrpe.service - Nagios Remote Plugin Execution daemon Loaded: loaded (/usr/lib/systemd/system/nrpe.service; enabled) Active: active (running) since Tue 2014-05-13 17:37:04 BST; 28s ago Process: 11914 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d (code=exited, status=0/SUCCESS) Main PID: 11915 (nrpe) CGroup: /system.slice/nrpe.service ââ11915 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d nrpe[11915]: Starting up daemon nrpe[11915]: Server listening on 0.0.0.0 port 5666. nrpe[11915]: Server listening on :: port 5666. nrpe[11915]: Listening for connections on port 0 nrpe[11915]: Allowing connections from: 127.0.0.1 systemd[1]: Started Nagios Remote Plugin Execution daemon. # netstat -pant | grep nrpe tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 11915/nrpe tcp 0 0 :::5666 :::* LISTEN 11915/nrpe # /usr/lib64/nagios/plugins/check_nrpe -H localhost NRPE v2.15
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4-32 # service nrpe start Redirecting to /bin/systemctl start nrpe.service # service nrpe status Redirecting to /bin/systemctl status nrpe.service nrpe.service - Nagios Remote Plugin Execution daemon Loaded: loaded (/usr/lib/systemd/system/nrpe.service; enabled) Active: active (running) since Tue 2014-05-13 18:43:32 MDT; 50s ago Process: 5977 ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d (code=exited, status=0/SUCCESS) Main PID: 5978 (nrpe) CGroup: /system.slice/nrpe.service ââ5978 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d nrpe[5978]: Starting up daemon nrpe[5978]: Server listening on 0.0.0.0 port 5666. nrpe[5978]: Server listening on :: port 5666. nrpe[5978]: Listening for connections on port 0 nrpe[5978]: Allowing connections from: 127.0.0.1 systemd[1]: Started Nagios Remote Plugin Execution daemon. systemd[1]: Started Nagios Remote Plugin Execution daemon. # /usr/lib/nagios/plugins/check_nrpe -H localhost NRPE v2.15 # uname -a Linux localhost 3.12.18-server-1.mga4 #1 SMP Thu Apr 24 13:47:31 UTC 2014 i686 i686 i686 GNU/Linux
CC: (none) => dpremyWhiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0217.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED