Bug 1089880

Summary:

CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [epel-all]

Product:

[Fedora] Fedora EPEL

Reporter:

Murray McAllister <mmcallis>

Component:

nrpe

Assignee:

Sam Kottler <s>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

high

Docs Contact:

Priority:

high

Version:

el6

CC:

jose.p.oliveira.oss, ondrejj, s, swilkerson, tmz, vdanen

Target Milestone:

---

Keywords:

Reopened, Security, SecurityTracking

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

2.15-7.fc23 nrpe-2.15-7.el5 nrpe-2.15-7.el6 nrpe-2.15-7.el7

Doc Type:

Release Note

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2015-10-08 03:53:37 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1089878

Attachments:

Description	Flags
Patch for EL5	none

Description Murray McAllister 2014-04-22 06:47:07 UTC

This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s).  This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.

Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]

Comment 1 Murray McAllister 2014-04-22 06:47:17 UTC

Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1089878,1089880

Comment 2 Fedora Update System 2014-05-01 01:34:31 UTC

nrpe-2.15-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/nrpe-2.15-2.el6

Comment 3 Fedora Update System 2014-05-01 18:29:39 UTC

Package nrpe-2.15-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing nrpe-2.15-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1292/nrpe-2.15-2.el6
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-05-16 03:02:44 UTC

nrpe-2.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Todd Zullinger 2015-08-23 02:05:11 UTC

EPEL-5 remains vulnerable to this issue.  No errata has been issued for EPEL-5, AFAIK.  Exploits have been seen in the wild as well.

Comment 6 Todd Zullinger 2015-08-23 02:17:52 UTC

Created attachment 1065975 [details]
Patch for EL5

This should apply cleanly to the el5 branch in git.  I have not built this package, as I updated my few EL5 systems to 2.15-2 when I was hit by this vulnerability last year.

Comment 7 Fedora Update System 2015-09-04 21:45:55 UTC

nrpe-2.15-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7940

Comment 8 Fedora Update System 2015-09-06 17:50:39 UTC

nrpe-2.15-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7940

Comment 9 Fedora Update System 2015-09-06 17:51:57 UTC

nrpe-2.15-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7939

Comment 10 Fedora Update System 2015-09-06 18:52:22 UTC

nrpe-2.15-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15122

Comment 11 Fedora Update System 2015-09-06 21:19:20 UTC

nrpe-2.15-6.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15123

Comment 12 Fedora Update System 2015-09-06 21:57:12 UTC

nrpe-2.15-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15124

Comment 13 Fedora Update System 2015-09-08 21:24:59 UTC

nrpe-2.15-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15398

Comment 14 Fedora Update System 2015-09-10 05:51:58 UTC

nrpe-2.15-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15398

Comment 15 Fedora Update System 2015-09-14 22:19:04 UTC

nrpe-2.15-6.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-09-14 23:18:15 UTC

nrpe-2.15-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Todd Zullinger 2015-09-15 00:39:10 UTC

This was closed by bodhi inadvertently, I believe.  There is still no patch or build for the el5 branch.  I submitted a patch in comment #6.

Are there any maintainers of nrpe reading this who could take a look and apply the patch if there are no issues?  It's pretty straight forward as it's the same patch applied to the other branches.

As I stated in comment #5, this has been actively exploited.

Comment 18 Fedora Update System 2015-09-18 18:31:17 UTC

nrpe-2.15-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Todd Zullinger 2015-09-18 21:34:12 UTC

Once again, this was closed incorrectly by bodhi.  I don't know why the Fedora updates would be referencing the EPEL bug in the first place, but they are.

In any case, this issue is still unresolved on EL5.  Does anyone care that it's been vulnerable and actively exploited for over a year?

Comment 20 Scott Wilkerson 2015-09-18 22:06:52 UTC

Sorry Todd,

I missed el5 package in the latest update, submitted new item to bodhi

Comment 21 Fedora Update System 2015-09-18 22:07:37 UTC

nrpe-2.15-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8144

Comment 22 Fedora Update System 2015-09-18 22:07:37 UTC

nrpe-2.15-7.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8145

Comment 23 Fedora Update System 2015-09-18 22:07:43 UTC

nrpe-2.15-7.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8146

Comment 24 Fedora Update System 2015-09-19 02:46:14 UTC

nrpe-2.15-7.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8145

Comment 25 Fedora Update System 2015-09-19 03:19:31 UTC

nrpe-2.15-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8144

Comment 26 Fedora Update System 2015-09-19 03:21:10 UTC

nrpe-2.15-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8146

Comment 27 Fedora Update System 2015-10-08 03:53:35 UTC

nrpe-2.15-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2015-10-08 17:27:47 UTC

nrpe-2.15-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2015-10-08 22:28:53 UTC

nrpe-2.15-7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 30 Red Hat Bugzilla 2023-09-14 02:06:42 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days