A remote, command execution flaw was discovered in Nagios NRPE when command arguments are enabled. A remote attacker could use this flaw to execute arbitrary commands. This issue affects versions 2.15 and older. Command arguments are disabled by default ("dont_blame_nrpe=0" in "/etc/nagios/nrpe.cfg"), and the security risk of enabling them is documented. Some discussion about the fix is available on the oss-security list: http://seclists.org/oss-sec/2014/q2/129
Created nrpe tracking bugs for this issue: Affects: fedora-all [bug 1089879] Affects: epel-all [bug 1089880]
nrpe-2.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
EPEL-5 remains vulnerable. I had a few systems compromised by this over the weekend. I rebuilt nrpe-2.15-2 on el5 to fix my systems, but an update should be pushed to prevent others from falling victim to attacks that are occurring in the wild.
nrpe-2.15-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
nrpe-2.15-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
EPEL-5 remains vulnerable to this issue. No errata has been issued for EPEL-5, AFAIK. Exploits have been seen in the wild as well.