Bug 1089880 - CVE-2014-2913 nrpe: remote command execution when command arguments are enabled [epel-all] [NEEDINFO]
Summary: CVE-2014-2913 nrpe: remote command execution when command arguments are enabl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nrpe
Version: el6
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Sam Kottler
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2014-2913
TreeView+ depends on / blocked
 
Reported: 2014-04-22 06:47 UTC by Murray McAllister
Modified: 2015-10-08 22:28 UTC (History)
6 users (show)

Fixed In Version: 2.15-7.fc23 nrpe-2.15-7.el5 nrpe-2.15-7.el6 nrpe-2.15-7.el7
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-08 03:53:37 UTC
Type: ---
tmz: needinfo? (s)


Attachments (Terms of Use)
Patch for EL5 (2.71 KB, patch)
2015-08-23 02:17 UTC, Todd Zullinger
no flags Details | Diff

Description Murray McAllister 2014-04-22 06:47:07 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s).  This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.

Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]

Comment 1 Murray McAllister 2014-04-22 06:47:17 UTC
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1089878,1089880

Comment 2 Fedora Update System 2014-05-01 01:34:31 UTC
nrpe-2.15-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/nrpe-2.15-2.el6

Comment 3 Fedora Update System 2014-05-01 18:29:39 UTC
Package nrpe-2.15-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing nrpe-2.15-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1292/nrpe-2.15-2.el6
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-05-16 03:02:44 UTC
nrpe-2.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Todd Zullinger 2015-08-23 02:05:11 UTC
EPEL-5 remains vulnerable to this issue.  No errata has been issued for EPEL-5, AFAIK.  Exploits have been seen in the wild as well.

Comment 6 Todd Zullinger 2015-08-23 02:17:52 UTC
Created attachment 1065975 [details]
Patch for EL5

This should apply cleanly to the el5 branch in git.  I have not built this package, as I updated my few EL5 systems to 2.15-2 when I was hit by this vulnerability last year.

Comment 7 Fedora Update System 2015-09-04 21:45:55 UTC
nrpe-2.15-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7940

Comment 8 Fedora Update System 2015-09-06 17:50:39 UTC
nrpe-2.15-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7940

Comment 9 Fedora Update System 2015-09-06 17:51:57 UTC
nrpe-2.15-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7939

Comment 10 Fedora Update System 2015-09-06 18:52:22 UTC
nrpe-2.15-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15122

Comment 11 Fedora Update System 2015-09-06 21:19:20 UTC
nrpe-2.15-6.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15123

Comment 12 Fedora Update System 2015-09-06 21:57:12 UTC
nrpe-2.15-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15124

Comment 13 Fedora Update System 2015-09-08 21:24:59 UTC
nrpe-2.15-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15398

Comment 14 Fedora Update System 2015-09-10 05:51:58 UTC
nrpe-2.15-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15398

Comment 15 Fedora Update System 2015-09-14 22:19:04 UTC
nrpe-2.15-6.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-09-14 23:18:15 UTC
nrpe-2.15-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Todd Zullinger 2015-09-15 00:39:10 UTC
This was closed by bodhi inadvertently, I believe.  There is still no patch or build for the el5 branch.  I submitted a patch in comment #6.

Are there any maintainers of nrpe reading this who could take a look and apply the patch if there are no issues?  It's pretty straight forward as it's the same patch applied to the other branches.

As I stated in comment #5, this has been actively exploited.

Comment 18 Fedora Update System 2015-09-18 18:31:17 UTC
nrpe-2.15-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Todd Zullinger 2015-09-18 21:34:12 UTC
Once again, this was closed incorrectly by bodhi.  I don't know why the Fedora updates would be referencing the EPEL bug in the first place, but they are.

In any case, this issue is still unresolved on EL5.  Does anyone care that it's been vulnerable and actively exploited for over a year?

Comment 20 Scott Wilkerson 2015-09-18 22:06:52 UTC
Sorry Todd,

I missed el5 package in the latest update, submitted new item to bodhi

Comment 21 Fedora Update System 2015-09-18 22:07:37 UTC
nrpe-2.15-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8144

Comment 22 Fedora Update System 2015-09-18 22:07:37 UTC
nrpe-2.15-7.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8145

Comment 23 Fedora Update System 2015-09-18 22:07:43 UTC
nrpe-2.15-7.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8146

Comment 24 Fedora Update System 2015-09-19 02:46:14 UTC
nrpe-2.15-7.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8145

Comment 25 Fedora Update System 2015-09-19 03:19:31 UTC
nrpe-2.15-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8144

Comment 26 Fedora Update System 2015-09-19 03:21:10 UTC
nrpe-2.15-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update nrpe'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8146

Comment 27 Fedora Update System 2015-10-08 03:53:35 UTC
nrpe-2.15-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2015-10-08 17:27:47 UTC
nrpe-2.15-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2015-10-08 22:28:53 UTC
nrpe-2.15-7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.