Bug 26482 - nrpe new security issues CVE-2020-6581 and CVE-2020-6582
Summary: nrpe new security issues CVE-2020-6581 and CVE-2020-6582
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-14 22:39 CEST by David Walser
Modified: 2020-06-11 00:27 CEST (History)
4 users (show)

See Also:
Source RPM: nrpe-3.2.1-3.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-04-14 22:39:13 CEST
Fedora has issued an advisory on April 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HL6LSLRKKPUIY2PIWFGZ7QMM7FKARMR/

The issues are fixed upstream in 4.0.0.
David Walser 2020-04-14 22:39:33 CEST

Status comment: (none) => Fixed upstream in 4.0.0

Comment 2 David Walser 2020-05-29 02:58:04 CEST
Advisory:
========================

Updated nrpe packages fix security vulnerabilities:

Nagios NRPE 3.2.1 has Insufficient Filtering because, for example,
nasty_metachars interprets \n as the character \ and the character n (not as
the \n newline sequence). This can cause command injection (CVE-2020-6581).

Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by
interpretation of a small negative number as a large positive number during a
bzero call (CVE-2020-6582).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6582
https://herolab.usd.de/security-advisories/usd-2020-0001/
https://herolab.usd.de/security-advisories/usd-2020-0002/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HL6LSLRKKPUIY2PIWFGZ7QMM7FKARMR/
========================

Updated packages in core/updates_testing:
========================
nrpe-3.2.1-3.2.mga7
nagios-check_nrpe-3.2.1-3.2.mga7

from nrpe-3.2.1-3.2.mga7.src.rpm

Status comment: Fixed upstream in 4.0.0 => (none)

Comment 3 Herman Viaene 2020-05-29 15:42:40 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 13306 for testing
# systemctl -l status nrpe
● nrpe.service - Nagios Remote Plugin Executor
   Loaded: loaded (/usr/lib/systemd/system/nrpe.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: http://www.nagios.org/documentation
[root@mach5 ~]# systemctl  start nrpe
[root@mach5 ~]# systemctl -l status nrpe
● nrpe.service - Nagios Remote Plugin Executor
   Loaded: loaded (/usr/lib/systemd/system/nrpe.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-05-29 15:36:52 CEST; 4s ago
     Docs: http://www.nagios.org/documentation
 Main PID: 14804 (nrpe)
    Tasks: 1 (limit: 4915)
   Memory: 576.0K
   CGroup: /system.slice/nrpe.service
           └─14804 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f

May 29 15:36:52 mach5.hviaene.thuis systemd[1]: Started Nagios Remote Plugin Executor.
May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Starting up daemon
May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Server listening on 0.0.0.0 port 5666.
May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Server listening on :: port 5666.
May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Listening for connections on port 5666
May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Allowing connections from: 127.0.0.1,::1
[root@mach5 ~]# netstat -pant | grep nrpe
tcp        0      0 0.0.0.0:5666            0.0.0.0:*               LISTEN      14804/nrpe          
tcp6       0      0 :::5666                 :::*                    LISTEN      14804/nrpe          
# /usr/lib64/nagios/plugins/check_nrpe -H localhost
NRPE v3.2.1
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-05-30 15:35:31 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-06-10 23:36:11 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-06-11 00:27:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0247.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.