Request contained command arguments

Bug #1555258 reported by Michael Peters
42
This bug affects 8 people
Affects Status Importance Assigned to Milestone
nagios-nrpe (Debian)
Fix Released
Unknown
nagios-nrpe (Ubuntu)
Fix Released
Medium
Eric Desrochers
Xenial
Fix Released
Medium
Eric Desrochers
Yakkety
Fix Released
Medium
Eric Desrochers
Zesty
Fix Released
Medium
Eric Desrochers
Artful
Fix Released
Medium
Eric Desrochers

Bug Description

[Impact]

 * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon.
Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature.

 * The expectation is for Ubuntu to deviate from Debian upstream decision to accommodate Ubuntu Nagios users.

* Doug's comment explain well the situation :
https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/comments/6

[0] - Debian Bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479

[Test Case]

 * This require a Nagios environment setup (Server and at least 1 client)

 * Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg
$ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a rsyslogd 1 0
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

Server logs:
nrpe[83523]: Connection from y.y.y.y port 43186
nrpe[83523]: Host address is in allowed_hosts
nrpe[83523]: Handling the connection...
==> nrpe[83523]: Error: Request contained command arguments!
==> nrpe[83523]: Client request was invalid, bailing out..

[Regression Potential]

 * This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
   Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_nrpe=0".

 * For users using the default value "dont_blame_nrpe=0", so no behavioural change. With regard to the risk, I would say it is LOW.
   The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature.
   But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects.

 * For users choosing to manually enable this option, the risk is HIGHER, but we assume that before enabling this option the users are considering the PROS and CONS.

 * Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to
   accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not.

 * Canonical Security team feedbacks :
   https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9

   ...
   If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362:
   ...

 * COMMAND ARGUMENTS
   NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing!
   https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments

Note that Artful and Zesty already has the commit mentioned by Tyler :
a/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS "|`&><'\\[]{};\r\n"
z/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS "|`&><'\\[]{};\r\n"

Thus, only Xenial and Yakkety requires it.
x/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS "|`&><'\"\\[]{};"
y/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS "|`&><'\"\\[]{};"

[Other Info]

* CVE-2013-1362 :

Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.

https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1

[Original Description]

Ubuntu 15.10 (upgraded from 12.04)

Have tried a full purged removal of nagios-nrpe-server and reinstall however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being ignored.

/var/log/syslog reports:

Mar 9 12:33:58 myhost nrpe[17153]: Error: Request contained command arguments!
Mar 9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...

All checks of this box have stopped working since the upgrade and I would like to get to the bottom of why NRPE is not honoring my request to allow command arguments.

CVE References

Revision history for this message
Junkern (ulf-bjork) wrote :

I have the same problem, seems that debian removed the setting dont_blame_nrpe=1

http://metadata.ftp-master.debian.org/changelogs/main/n/nagios-nrpe/nagios-nrpe_2.15-1_changelog

[eec54b6] Adjust README.Debian for the removal or argument processing

Running Ubuntu 16.04 LTS
nagios-nrpe-plugin 2.15-0ubuntu1 amd64 Nagios Remote Plugin Executor Plugin
nagios-nrpe-server 2.15-1ubuntu1 amd64 Nagios Remote Plugin Executor Server

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nagios-nrpe (Ubuntu):
status: New → Confirmed
Revision history for this message
Junkern (ulf-bjork) wrote :
Revision history for this message
Junkern (ulf-bjork) wrote :
Revision history for this message
Bas Couwenberg (sebastic) wrote :

nagios-nrpe (2.15-1) has disabled command-args, and this feature won't be re-enabled in the foreseeable future.

Changed in nagios-nrpe (Ubuntu):
status: Confirmed → Invalid
Changed in nagios-nrpe (Debian):
status: Unknown → Fix Released
Revision history for this message
Doug Parrish (dparrish) wrote :

From reading the Debian bug #756479 cited above, it appears there was considerable impact to users whose Nagios monitors depended on this feature when upgraded to 2.15. Some users of NRPE are customers of Canonical's, one of whom I support as a Dedicated Support Engineer. This customer would like to monitor its relatively new Ubuntu/Juju/Openstack clouds from its existing Nagios master which utilizes this feature for some of their check_nrpe calls. Would Canonical/Ubuntu reconsider Debian's decision with regard to the build for Ubuntu? This would allow customers to use Canonical-supported packages and make their own decision whether to accept the security risks of enabling the feature.

Changed in nagios-nrpe (Ubuntu):
status: Invalid → New
Revision history for this message
Eric Desrochers (slashd) wrote :

I have reverted the release nomination approval for this bug until Ubuntu (e.g Foundation team, ~ubuntu-sru, ...) come up with a final official position with regard to comment #6 from my colleague Doug.

Thanks !

no longer affects: nagios-nrpe (Ubuntu Zesty)
no longer affects: nagios-nrpe (Ubuntu Yakkety)
no longer affects: nagios-nrpe (Ubuntu Xenial)
no longer affects: nagios-nrpe (Ubuntu Trusty)
Eric Desrochers (slashd)
tags: added: sts
Eric Desrochers (slashd)
Changed in nagios-nrpe (Ubuntu):
status: New → Won't Fix
status: Won't Fix → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nagios-nrpe (Ubuntu):
status: New → Confirmed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I feel like this would be acceptable, from a security standpoint, to enable at build time. It would be disabled by default and upstream makes it clear that it should only be enabled if you know what you're doing:

  https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments

After reading bug reports and comments on social media, I have to assume that there are users out there that know what they're doing and depend on this feature.

If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362:

  https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1

There's no need to take this change through the security pocket since the current package is not vulnerable to CVE-2013-1362. It can take the normal SRU route directly to the updates pocket.

Eric Desrochers (slashd)
description: updated
Changed in nagios-nrpe (Ubuntu Xenial):
status: New → Confirmed
Changed in nagios-nrpe (Ubuntu Yakkety):
status: New → Confirmed
Changed in nagios-nrpe (Ubuntu Zesty):
status: New → Confirmed
description: updated
Eric Desrochers (slashd)
description: updated
Changed in nagios-nrpe (Ubuntu Xenial):
assignee: nobody → Eric Desrochers (slashd)
Changed in nagios-nrpe (Ubuntu Yakkety):
assignee: nobody → Eric Desrochers (slashd)
Changed in nagios-nrpe (Ubuntu Zesty):
assignee: nobody → Eric Desrochers (slashd)
Changed in nagios-nrpe (Ubuntu Artful):
assignee: nobody → Eric Desrochers (slashd)
importance: Undecided → Wishlist
importance: Wishlist → Low
Changed in nagios-nrpe (Ubuntu Zesty):
importance: Undecided → Low
Changed in nagios-nrpe (Ubuntu Yakkety):
importance: Undecided → Low
Changed in nagios-nrpe (Ubuntu Xenial):
importance: Undecided → Low
tags: added: sts-sru
Eric Desrochers (slashd)
description: updated
Changed in nagios-nrpe (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in nagios-nrpe (Ubuntu Yakkety):
status: Confirmed → In Progress
Changed in nagios-nrpe (Ubuntu Zesty):
status: Confirmed → In Progress
Changed in nagios-nrpe (Ubuntu Artful):
status: Confirmed → In Progress
Eric Desrochers (slashd)
description: updated
description: updated
Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

artful_lp1555258.debdiff

Eric Desrochers (slashd)
Changed in nagios-nrpe (Ubuntu Artful):
importance: Low → Medium
Changed in nagios-nrpe (Ubuntu Zesty):
importance: Low → Medium
Changed in nagios-nrpe (Ubuntu Yakkety):
importance: Low → Medium
Changed in nagios-nrpe (Ubuntu Xenial):
importance: Low → Medium
description: updated
Revision history for this message
Doug Parrish (dparrish) wrote :

Excerpts from mynrpe-server's /var/log/syslog when running check_nrpe from mynagios-master (nrpe.cfg debug=1):

Before install of xenial recompiled package:

ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

May 1 20:20:06 mynrpe-server nrpe[83523]: Connection from 192.168.1.52 port 43186
May 1 20:20:06 mynrpe-server nrpe[83523]: Host address is in allowed_hosts
May 1 20:20:06 mynrpe-server nrpe[83523]: Handling the connection...
May 1 20:20:06 mynrpe-server nrpe[83523]: Error: Request contained command arguments!
May 1 20:20:06 mynrpe-server nrpe[83523]: Client request was invalid, bailing out...

After install of xenial recompiled package but nrpe.cfg dont_blame_nrpe=0 as installed (default):

ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

May 1 20:22:02 mynrpe-server nrpe[84181]: Handling the connection...
May 1 20:22:02 mynrpe-server nrpe[84181]: Error: Request contained command arguments, but argument option is not enabled!
May 1 20:22:02 mynrpe-server nrpe[84181]: Client request was invalid, bailing out...

After nrpe.cfg dont_blame_nrpe=1 (user is manually enabling command-args):

May 1 20:23:31 mynrpe-server nrpe[84324]: Server listening on 0.0.0.0 port 5664.
May 1 20:23:31 mynrpe-server nrpe[84324]: Server listening on :: port 5664.
May 1 20:23:31 mynrpe-server nrpe[84324]: Warning: Daemon is configured to accept command arguments from clients!
May 1 20:23:31 mynrpe-server nrpe[84324]: Listening for connections on port 0
May 1 20:23:31 mynrpe-server nrpe[84324]: Allowing connections from: 127.0.0.1,192.168.1.28,192.168.1.29,192.168.1.52

ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0
PROCS CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0;

May 1 20:24:46 mynrpe-server nrpe[84858]: Running command: /usr/lib/nagios/plugins/check_procs -C rsyslogd -w 1 -c 0
May 1 20:24:46 mynrpe-server nrpe[84858]: Command completed with return code 2 and output: PROCS CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0;
May 1 20:24:46 mynrpe-server nrpe[84858]: Return Code: 2, Output: PROCS CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0;

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios-nrpe - 3.0.1-3ubuntu1

---------------
nagios-nrpe (3.0.1-3ubuntu1) artful; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
    This update enables the command-args support in nrpe
    by not ignoring option "dont_blame_nrpe=1". By default,
    the option is set as follow : "dont_blame_nrpe=0", which
    has the same effect of having the command-args support
    disabled at compile time like Debian does. Ubuntu has decided
    to deviate from Debian upstream for that particular case to
    allow/unblock the Ubuntu users of nrpe to make the choice for
    themselves whether to accept the security risks that the feature
    involve by manually enabling command-args in nrpe.cfg or not.
    For more details as of why Debian has decided to disable the
    feature can be found in debian/NEWS. (closes: #756479)

 -- Eric Desrochers <email address hidden> Tue, 02 May 2017 08:32:36 -0400

Changed in nagios-nrpe (Ubuntu Artful):
status: In Progress → Fix Released
Revision history for this message
Eric Desrochers (slashd) wrote :

zesty_nagiosnrpe_lp1555258.debdiff

Revision history for this message
Eric Desrochers (slashd) wrote :

zesty_nagiosnrpe_lp1555258_V2.debdiff

- Change the version in debian/changelog from "3.0.1-3ubuntu0.17.04.1" to "3.0.1-3ubuntu0.17.04.1"

Revision history for this message
Eric Desrochers (slashd) wrote :

xenial_lp1555258.debdiff

Revision history for this message
Brian Murray (brian-murray) wrote :

It may have facilitated the review (I took the time to look) were it mentioned that there is a warning in the sample configuration file e.g.:

# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments

Changed in nagios-nrpe (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Michael, or anyone else affected,

Accepted nagios-nrpe into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios-nrpe/3.0.1-3ubuntu0.17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Doug Parrish (dparrish) wrote :

Tested 3.0.1-3ubuntu0.17.04.1 on zesty with positive result.

nrpe.cfg:dont_blame_nrpe=0 [ is set this way as part of install - no editing done ]

In syslog:
May 4 21:36:18 cmonb nrpe[6381]: Error: Request contained command arguments, but argument option is not enabled!
May 4 21:36:18 cmonb nrpe[6381]: Client request from 10.1.0.212 was invalid, bailing out...

[ edited nrpe.cfg:dont_blame_nrpe=1 ]

In syslog:
May 4 21:37:36 cmonb nrpe[6420]: Warning: Daemon is configured to accept command arguments from clients!
...
May 4 21:37:52 cmonb nrpe[6442]: Running command: /usr/lib/nagios/plugins/check_procs -C syslogd -w 1 -c 0
May 4 21:37:52 cmonb nrpe[6442]: Command completed with return code 0 and output: PROCS OK: 0 processes with command name 'syslogd' | procs=0;1;0;0;
May 4 21:37:52 cmonb nrpe[6442]: Return Code: 0, Output: PROCS OK: 0 processes with command name 'syslogd' | procs=0;1;0;0;

Eric Desrochers (slashd)
tags: added: verification-done-zesty
removed: verification-needed
Revision history for this message
Eric Desrochers (slashd) wrote :

yakkety_lp1555258.debdiff

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Michael, or anyone else affected,

Accepted nagios-nrpe into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios-nrpe/2.15-1ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nagios-nrpe (Ubuntu Yakkety):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in nagios-nrpe (Ubuntu Xenial):
status: In Progress → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Michael, or anyone else affected,

Accepted nagios-nrpe into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios-nrpe/2.15-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Doug Parrish (dparrish) wrote :

tested nagios-nrpe-server
  2.15-1ubuntu3 on yakkety
  2.15-1ubuntu1.1 on xenial

Both tests yielded same result as described in comment #18, i.e. positive, as intended.

Revision history for this message
Eric Desrochers (slashd) wrote :

Thanks Doug for the testing on all affected stable releases.

tags: added: verification-done-xenial verification-done-yakkety
removed: sts verification-needed
Revision history for this message
François Blondel (francoisblondel) wrote :

Sorry, misclicked myself, but i haven't the rights to revert my change :(

Changed in nagios-nrpe (Ubuntu Xenial):
status: Fix Committed → Fix Released
Eric Desrochers (slashd)
Changed in nagios-nrpe (Ubuntu Xenial):
status: Fix Released → Fix Committed
Revision history for this message
François Blondel (francoisblondel) wrote :

Also tested nagios-nrpe-server 2.15-1ubuntu1.1 on xenial, works as expected, same as in comment #18.

Revision history for this message
Eric Desrochers (slashd) wrote :

Thanks François Blondel for the feedbacks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios-nrpe - 3.0.1-3ubuntu0.17.04.1

---------------
nagios-nrpe (3.0.1-3ubuntu0.17.04.1) zesty; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
    This update enables the command-args support in nrpe
    by not ignoring option "dont_blame_nrpe=1". By default,
    the option is set as follow : "dont_blame_nrpe=0", which
    has the same effect of having the command-args support
    disabled at compile time like Debian does. Ubuntu has decided
    to deviate from Debian upstream for that particular case to
    allow/unblock the Ubuntu users of nrpe to make the choice for
    themselves whether to accept the security risks that the feature
    involve by manually enabling command-args in nrpe.cfg or not.
    For more details as of why Debian has decided to disable the
    feature can be found in debian/NEWS. (closes: #756479)

 -- Eric Desrochers <email address hidden> Tue, 02 May 2017 09:09:29 -0400

Changed in nagios-nrpe (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for nagios-nrpe has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios-nrpe - 2.15-1ubuntu1.1

---------------
nagios-nrpe (2.15-1ubuntu1.1) xenial; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
    This update enables the command-args support in nrpe
    by not ignoring option "dont_blame_nrpe=1". By default,
    the option is set as follow : "dont_blame_nrpe=0", which
    has the same effect of having the command-args support
    disabled at compile time like Debian does. Ubuntu has decided
    to deviate from Debian upstream for that particular case to
    allow/unblock the Ubuntu users of nrpe to make the choice for
    themselves whether to accept the security risks that the feature
    involve by manually enabling command-args in nrpe.cfg or not.
    For more details as of why Debian has decided to disable the
    feature can be found in debian/NEWS. (closes: #756479)

  * [5bf9b20] Add 10_remote_execution_exploit_fix.dpatch patch (LP: #1555258)
    As requested by the security team.

 -- Eric Desrochers <email address hidden> Tue, 02 May 2017 14:21:47 -0400

Changed in nagios-nrpe (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios-nrpe - 2.15-1ubuntu3

---------------
nagios-nrpe (2.15-1ubuntu3) yakkety; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
    This update enables the command-args support in nrpe
    by not ignoring option "dont_blame_nrpe=1". By default,
    the option is set as follow : "dont_blame_nrpe=0", which
    has the same effect of having the command-args support
    disabled at compile time like Debian does. Ubuntu has decided
    to deviate from Debian upstream for that particular case to
    allow/unblock the Ubuntu users of nrpe to make the choice for
    themselves whether to accept the security risks that the feature
    involve by manually enabling command-args in nrpe.cfg or not.
    For more details as of why Debian has decided to disable the
    feature can be found in debian/NEWS. (closes: #756479)

  * [5bf9b20] Add 10_remote_execution_exploit_fix.dpatch patch (LP: #1555258)
    As requested by the security team.

 -- Eric Desrochers <email address hidden> Mon, 08 May 2017 08:01:10 -0400

Changed in nagios-nrpe (Ubuntu Yakkety):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.