Bug 1089880
Summary: | CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [epel-all] | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Murray McAllister <mmcallis> | ||||
Component: | nrpe | Assignee: | Sam Kottler <s> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | el6 | CC: | jose.p.oliveira.oss, ondrejj, s, swilkerson, tmz, vdanen | ||||
Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 2.15-7.fc23 nrpe-2.15-7.el5 nrpe-2.15-7.el6 nrpe-2.15-7.el7 | Doc Type: | Release Note | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-10-08 03:53:37 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1089878 | ||||||
Attachments: |
|
Description
Murray McAllister
2014-04-22 06:47:07 UTC
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1089878,1089880 nrpe-2.15-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/nrpe-2.15-2.el6 Package nrpe-2.15-2.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing nrpe-2.15-2.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1292/nrpe-2.15-2.el6 then log in and leave karma (feedback). nrpe-2.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. EPEL-5 remains vulnerable to this issue. No errata has been issued for EPEL-5, AFAIK. Exploits have been seen in the wild as well. Created attachment 1065975 [details]
Patch for EL5
This should apply cleanly to the el5 branch in git. I have not built this package, as I updated my few EL5 systems to 2.15-2 when I was hit by this vulnerability last year.
nrpe-2.15-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7940 nrpe-2.15-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7940 nrpe-2.15-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7939 nrpe-2.15-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15122 nrpe-2.15-6.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15123 nrpe-2.15-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15124 nrpe-2.15-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15398 nrpe-2.15-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15398 nrpe-2.15-6.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. nrpe-2.15-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This was closed by bodhi inadvertently, I believe. There is still no patch or build for the el5 branch. I submitted a patch in comment #6. Are there any maintainers of nrpe reading this who could take a look and apply the patch if there are no issues? It's pretty straight forward as it's the same patch applied to the other branches. As I stated in comment #5, this has been actively exploited. nrpe-2.15-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Once again, this was closed incorrectly by bodhi. I don't know why the Fedora updates would be referencing the EPEL bug in the first place, but they are. In any case, this issue is still unresolved on EL5. Does anyone care that it's been vulnerable and actively exploited for over a year? Sorry Todd, I missed el5 package in the latest update, submitted new item to bodhi nrpe-2.15-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8144 nrpe-2.15-7.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8145 nrpe-2.15-7.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8146 nrpe-2.15-7.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8145 nrpe-2.15-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8144 nrpe-2.15-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8146 nrpe-2.15-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. nrpe-2.15-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. nrpe-2.15-7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |