Fedora has issued an advisory on April 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HL6LSLRKKPUIY2PIWFGZ7QMM7FKARMR/ The issues are fixed upstream in 4.0.0.
Status comment: (none) => Fixed upstream in 4.0.0
References: https://herolab.usd.de/security-advisories/usd-2020-0001/ https://github.com/NagiosEnterprises/nrpe/commit/b84f9b8c9d290dd02e139df8dad1c3eb690c1213 https://github.com/NagiosEnterprises/nrpe/commit/8e3bea4e1b1937e395a182729762aa8894e8649e https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 pushed on mageia 7 updates_testing: nrpe-3.2.1-3.2.mga7
Assignee: guillomovitch => qa-bugsCC: (none) => mageia
Advisory: ======================== Updated nrpe packages fix security vulnerabilities: Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection (CVE-2020-6581). Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call (CVE-2020-6582). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6581 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6582 https://herolab.usd.de/security-advisories/usd-2020-0001/ https://herolab.usd.de/security-advisories/usd-2020-0002/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HL6LSLRKKPUIY2PIWFGZ7QMM7FKARMR/ ======================== Updated packages in core/updates_testing: ======================== nrpe-3.2.1-3.2.mga7 nagios-check_nrpe-3.2.1-3.2.mga7 from nrpe-3.2.1-3.2.mga7.src.rpm
Status comment: Fixed upstream in 4.0.0 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 13306 for testing # systemctl -l status nrpe ● nrpe.service - Nagios Remote Plugin Executor Loaded: loaded (/usr/lib/systemd/system/nrpe.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: http://www.nagios.org/documentation [root@mach5 ~]# systemctl start nrpe [root@mach5 ~]# systemctl -l status nrpe ● nrpe.service - Nagios Remote Plugin Executor Loaded: loaded (/usr/lib/systemd/system/nrpe.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-05-29 15:36:52 CEST; 4s ago Docs: http://www.nagios.org/documentation Main PID: 14804 (nrpe) Tasks: 1 (limit: 4915) Memory: 576.0K CGroup: /system.slice/nrpe.service └─14804 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f May 29 15:36:52 mach5.hviaene.thuis systemd[1]: Started Nagios Remote Plugin Executor. May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Starting up daemon May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Server listening on 0.0.0.0 port 5666. May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Server listening on :: port 5666. May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Listening for connections on port 5666 May 29 15:36:52 mach5.hviaene.thuis nrpe[14804]: Allowing connections from: 127.0.0.1,::1 [root@mach5 ~]# netstat -pant | grep nrpe tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 14804/nrpe tcp6 0 0 :::5666 :::* LISTEN 14804/nrpe # /usr/lib64/nagios/plugins/check_nrpe -H localhost NRPE v3.2.1 All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0247.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED