FS#66574 - [nrpe] Missing enable-command-args
Attached to Project:
Community Packages
Opened by defmy (defmy) - Thursday, 07 May 2020, 11:20 GMT
Last edited by Jonathan Steel (jsteel) - Friday, 08 May 2020, 10:39 GMT
Opened by defmy (defmy) - Thursday, 07 May 2020, 11:20 GMT
Last edited by Jonathan Steel (jsteel) - Friday, 08 May 2020, 10:39 GMT
|
Details
Description:
--enable-command-args is missing during compilation for the package nrpe. We can't execute checks with arguments... Server log: Error: Request contained command arguments! Client request from 192.168.X.X was invalid, bailing out... Server config: dont_blame_nrpe=1 command[test]=/usr/bin/echo $ARG1$ Check NRPE: /usr/lib64/nagios/plugins/check_nrpe -H 192.168.X.X -c test -a 0 CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected). Version: 4.0.2 (Server/Client) |
This task depends upon
Closed by Jonathan Steel (jsteel)
Friday, 08 May 2020, 10:39 GMT
Reason for closing: Won't implement
Additional comments about closing: https://security.archlinux.org/AVG-587
Friday, 08 May 2020, 10:39 GMT
Reason for closing: Won't implement
Additional comments about closing: https://security.archlinux.org/AVG-587
FS#57120.nrpe don't have root rights and without this option, there is no interest.
Note in CVE-2014-2913:
"Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments."
You are free to build the package yourself if you wish to be vulnerable; or if you believe you are implementing it in a way that you would not be vulnerable but this will not become the default.