1) CVE-2020-6581 Description: "Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection." URL: https://herolab.usd.de/security-advisories/usd-2020-0002/ NOTE: "NRPE has to be compiled with command line parameter support. Additionally, dont_blame_nrpe option inside the NRPE configuration file has to be enabled." Patch: https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 2) CVE-2020-6582 Description: "Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call." URL: https://herolab.usd.de/security-advisories/usd-2020-0001/ Patch: not worth determining a single patch, a variety of fixes have been applied since. (In my opinion, not worth trying to apply manually. The upstream hasn't split the commits into atomic changes and there's subsequent fixes for other bugs intermingled across several commits.) ---- All fixes seem to be in 4.0.2. The fixes for these particular CVEs may be in 3.3.0 but subsequent improvements have been made to the same areas of code up to 4.0.2, so it is IMO safer to just go for that.
v4.0.0 is the latest release on github, but those two advisories say that 4.0 should have the fix. Feel free to stabilize it. (I don't actually use NRPE, but I'm the only one who works on it in Gentoo.)
Let's hold stabilization. Sam pointed out that 4.0.2 has additional fixes. So we should bump first and go with 4.0.2 instead.
Forget previous comment, 4.0.1+ is not available on GitHub.
Using 4.0.0 in production, works fine.
amd64 stable
sparc stable
x86 stable
ppc stable
ppc64 stable
(In reply to Michael Orlitzky from comment #1) > v4.0.0 is the latest release on github, but those two advisories say that > 4.0 should have the fix. Feel free to stabilize it. (I don't actually use > NRPE, but I'm the only one who works on it in Gentoo.) Bit late now but the maintainer after a poke has released 4.0.2, so may be useful for somebody to bump it in the future.
Dropped to ~hppa, feel free to get rid of old versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6605f564beba67c715410948f4b770077153aaa7 commit 6605f564beba67c715410948f4b770077153aaa7 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2020-03-25 12:32:36 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2020-03-25 12:32:36 +0000 net-analyzer/nrpe: drop vulnerable 3.x versions. Bug: https://bugs.gentoo.org/712908 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> net-analyzer/nrpe/Manifest | 1 - net-analyzer/nrpe/nrpe-3.2.1-r1.ebuild | 89 -------------------------------- net-analyzer/nrpe/nrpe-3.2.1-r3.ebuild | 93 ---------------------------------- 3 files changed, 183 deletions(-)
Tree is clean.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
