ASA-201801-14 generated external raw

[ASA-201801-14] nrpe: arbitrary command execution
Arch Linux Security Advisory ASA-201801-14 ========================================== Severity: High Date : 2018-01-18 CVE-ID : CVE-2013-1362 CVE-2014-2913 Package : nrpe Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-587 Summary ======= The package nrpe before version 3.2.1-3 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 3.2.1-3. # pacman -Syu "nrpe>=3.2.1-3" The problems have been fixed upstream but no release is available yet. Workaround ========== Ensure the "dont_blame_nrpe" option in nrpe.conf is disabled. Description =========== - CVE-2013-1362 (arbitrary command execution) Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. - CVE-2014-2913 (arbitrary command execution) Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. Impact ====== A remote attacker is able to execute arbitrary commands on the affected host by passing malicious command arguments via check_nrpe. References ========== https://bugs.archlinux.org/task/57120 http://seclists.org/bugtraq/2013/Feb/119 https://github.com/NagiosEnterprises/nrpe/commit/eaaebb3c2925f9aee74319b61264ee535784b859 http://seclists.org/fulldisclosure/2014/Apr/240 http://seclists.org/oss-sec/2014/q2/154 https://security.archlinux.org/CVE-2013-1362 https://security.archlinux.org/CVE-2014-2913