Your message dated Tue, 15 Jul 2014 16:49:21 +0000
with message-id <[email protected]>
and subject line Bug#745272: fixed in nagios-nrpe 2.15-1
has caused the Debian Bug report #745272,
regarding nagios-nrpe: CVE-2014-2913: Remote command execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
745272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nagios-nrpe-server
Severity: critical
Tags: security
NRPE fails to check input when a newline-character is issued
POC has been released and works on debian 7, no CVE assigned yet
http://seclists.org/fulldisclosure/2014/Apr/240
http://seclists.org/oss-sec/2014/q2/136
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nagios-nrpe-server depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-38+deb7u1
ii libssl1.0.0 1.0.1e-2+deb7u4
ii libwrap0 7.6.q-24
ii lsb-base 4.1+Debian8+deb7u1
Versions of packages nagios-nrpe-server recommends:
ii nagios-plugins 1.4.16-1
ii nagios-plugins-basic 1.4.16-1
nagios-nrpe-server suggests no packages.
--- End Message ---
--- Begin Message ---
Source: nagios-nrpe
Source-Version: 2.15-1
We believe that the bug you reported is fixed in the latest version of
nagios-nrpe, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Wirt <[email protected]> (supplier of updated nagios-nrpe package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 15 Jul 2014 18:30:36 +0200
Source: nagios-nrpe
Binary: nagios-nrpe-server nagios-nrpe-plugin
Architecture: source amd64
Version: 2.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group
<[email protected]>
Changed-By: Alexander Wirt <[email protected]>
Description:
nagios-nrpe-plugin - Nagios Remote Plugin Executor Plugin
nagios-nrpe-server - Nagios Remote Plugin Executor Server
Closes: 679241 719636 745272 752243
Changes:
nagios-nrpe (2.15-1) unstable; urgency=high
.
* [f2cea9f] Imported Upstream version 2.15
* [023e909] Disable command-args in nrpe. (Closes: #745272)
* [6369220] Use restorecon to set SE Linux context on $PIDDIR
(Closes: #679241)
* [a484e7d] Switch order of nagios-plugins recommends to prefer -basic.
(Closes: #752243)
* [b1ef043] Don't recommend a core implementation for the plugin
* [16dbf01] Remove obsolete patch
* [694b804] Remove luk from uploaders. (Closes: #719636)
* [28d9004] Remove obsolete patch
* [86ea67e] 08_CVE-2013-1362.dpatch is now obsolete
* [74e3b07] Refresh patches
* [1258ab2] Reword NEWS entry
* [744eec6] configure is buggy: --disable- in fact enables a feautre.
* [eec54b6] Adjust README.Debian for the removal or argument processing
Checksums-Sha1:
b1890037bb6e567e6b753ff441b7d394639277c7 1963 nagios-nrpe_2.15-1.dsc
45f434758c547c0af516e8b3324717f8dcd100a3 419695 nagios-nrpe_2.15.orig.tar.gz
ce34111bdecb35d8ab7359663bc4ec6f5c12b8b0 11104 nagios-nrpe_2.15-1.diff.gz
5d094084674df9a8967d994c1cd1512effa22e7d 38898
nagios-nrpe-server_2.15-1_amd64.deb
d25931de5a00680a2e7725c0c0bf408fef641606 18930
nagios-nrpe-plugin_2.15-1_amd64.deb
Checksums-Sha256:
77e8ee3f3803e54bd13daf4673402f83d3f2343fe8058c1467870b3e541f2e02 1963
nagios-nrpe_2.15-1.dsc
66383b7d367de25ba031d37762d83e2b55de010c573009c6f58270b137131072 419695
nagios-nrpe_2.15.orig.tar.gz
50faba8bcfc5e1699442655fd8e4ccfd106cc13429df83adc709cfd089a0cce2 11104
nagios-nrpe_2.15-1.diff.gz
407ac5da4f10ea0b112d1316edfa889c4efe0f13841f87d8781ee747e0546f7f 38898
nagios-nrpe-server_2.15-1_amd64.deb
e6377c7abf6b81cd616c08c6330934bb3a4a2010a9badcb463698c897e201677 18930
nagios-nrpe-plugin_2.15-1_amd64.deb
Files:
cb0a638fea87f969217bf227cfcb6080 38898 net optional
nagios-nrpe-server_2.15-1_amd64.deb
45d4b386123648044eab319054084761 18930 net optional
nagios-nrpe-plugin_2.15-1_amd64.deb
963cdc0ab1fba46cf428990effe2d47e 1963 net optional nagios-nrpe_2.15-1.dsc
3921ddc598312983f604541784b35a50 419695 net optional
nagios-nrpe_2.15.orig.tar.gz
3b04dabddc38e042fda4ea3c588b0b7f 11104 net optional nagios-nrpe_2.15-1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTxVk5AAoJEB5F+Mqd4jsWJNsQAIEFDl7712A7liKepjJ9dWRQ
q6VeZuG1zDyWAUZ012LOMwRmaFFEEpqzCMORzPrGvbhrD0CsRlvZ0o89H8YcZzWb
wu5hEwzLSe4G8rEcqgNvPQW+MoQwtTTXdl9I2Hre3VC0zf9Zpv7N9RBa0nqlGkXv
o7xCdWxaEoX6M7zE7i/EEUXG7Sk1iNDO4zguwFbgetvVEg9S5Kkp7R2eytiCbKhG
VuvaYKW/FZdb0nARHbh3XhRR8IT/KVCsHff/EH84L/IKDEVVn5JdjmulygDLZLKc
ZyOvLMK8VvsGC50dRSuW+KGhqa0gIbQxFjW3ogBB/mtqHc4Z8ZKjElkpq3AJH+bz
ch0RydmGDovXC8naGaOSxC8liPz7V1n8HWMkYayjJHbPteAJz6V+yUKTHuAsUHaX
dLmmviVLqeDAzsPFuI/VDFTQINU7Gjh6psdQRX1GMoPEqucxuWs5rwmSMhwrc6UT
uf8v8OAJbVUzQrWPmRM7FamwDQfCDVMbm1lWGpIKP6pr6bDE32FPWUJWoMBXx2uT
AkhpIsoB9Qo57IdfpwsSJf/puKfWfsyzTKLwdT8EyuaxhwZ62yTi1o47zfgCzM0+
A6bB7DwLYZG1ur0i50gepNNeO6m65rOTcXa8KSJNrX1xj2l16FxqCqdNgP5i4EXs
j7I7Z1iZCN82/A/gkNML
=eH7G
-----END PGP SIGNATURE-----
--- End Message ---
