[Bug 1555258] Re: Request contained command arguments
This bug was fixed in the package nagios-nrpe - 2.15-1ubuntu3 --- nagios-nrpe (2.15-1ubuntu3) yakkety; urgency=medium * debian/rules : Add "--enable-command-args". (LP: #1555258) This update enables the command-args support in nrpe by not ignoring option "dont_blame_nrpe=1". By default, the option is set as follow : "dont_blame_nrpe=0", which has the same effect of having the command-args support disabled at compile time like Debian does. Ubuntu has decided to deviate from Debian upstream for that particular case to allow/unblock the Ubuntu users of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. For more details as of why Debian has decided to disable the feature can be found in debian/NEWS. (closes: #756479) * [5bf9b20] Add 10_remote_execution_exploit_fix.dpatch patch (LP: #1555258) As requested by the security team. -- Eric DesrochersMon, 08 May 2017 08:01:10 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
This bug was fixed in the package nagios-nrpe - 2.15-1ubuntu1.1 --- nagios-nrpe (2.15-1ubuntu1.1) xenial; urgency=medium * debian/rules : Add "--enable-command-args". (LP: #1555258) This update enables the command-args support in nrpe by not ignoring option "dont_blame_nrpe=1". By default, the option is set as follow : "dont_blame_nrpe=0", which has the same effect of having the command-args support disabled at compile time like Debian does. Ubuntu has decided to deviate from Debian upstream for that particular case to allow/unblock the Ubuntu users of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. For more details as of why Debian has decided to disable the feature can be found in debian/NEWS. (closes: #756479) * [5bf9b20] Add 10_remote_execution_exploit_fix.dpatch patch (LP: #1555258) As requested by the security team. -- Eric DesrochersTue, 02 May 2017 14:21:47 -0400 ** Changed in: nagios-nrpe (Ubuntu Xenial) Status: Fix Committed => Fix Released ** Changed in: nagios-nrpe (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
This bug was fixed in the package nagios-nrpe - 3.0.1-3ubuntu0.17.04.1 --- nagios-nrpe (3.0.1-3ubuntu0.17.04.1) zesty; urgency=medium * debian/rules : Add "--enable-command-args". (LP: #1555258) This update enables the command-args support in nrpe by not ignoring option "dont_blame_nrpe=1". By default, the option is set as follow : "dont_blame_nrpe=0", which has the same effect of having the command-args support disabled at compile time like Debian does. Ubuntu has decided to deviate from Debian upstream for that particular case to allow/unblock the Ubuntu users of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. For more details as of why Debian has decided to disable the feature can be found in debian/NEWS. (closes: #756479) -- Eric DesrochersTue, 02 May 2017 09:09:29 -0400 ** Changed in: nagios-nrpe (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Thanks François Blondel for the feedbacks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Also tested nagios-nrpe-server 2.15-1ubuntu1.1 on xenial, works as expected, same as in comment #18. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Changed in: nagios-nrpe (Ubuntu Xenial) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Sorry, misclicked myself, but i haven't the rights to revert my change :( ** Changed in: nagios-nrpe (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Thanks Doug for the testing on all affected stable releases. ** Tags removed: sts verification-needed ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
tested nagios-nrpe-server 2.15-1ubuntu3 on yakkety 2.15-1ubuntu1.1 on xenial Both tests yielded same result as described in comment #18, i.e. positive, as intended. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Hello Michael, or anyone else affected, Accepted nagios-nrpe into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nagios- nrpe/2.15-1ubuntu3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: nagios-nrpe (Ubuntu Yakkety) Status: In Progress => Fix Committed ** Tags added: verification-needed ** Changed in: nagios-nrpe (Ubuntu Xenial) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
yakkety_lp1555258.debdiff ** Patch added: "yakkety_lp1555258.debdiff" https://bugs.launchpad.net/ubuntu/yakkety/+source/nagios-nrpe/+bug/1555258/+attachment/4873442/+files/yakkety_lp1555258.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Tags removed: verification-needed ** Tags added: verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Tested 3.0.1-3ubuntu0.17.04.1 on zesty with positive result. nrpe.cfg:dont_blame_nrpe=0 [ is set this way as part of install - no editing done ] In syslog: May 4 21:36:18 cmonb nrpe[6381]: Error: Request contained command arguments, but argument option is not enabled! May 4 21:36:18 cmonb nrpe[6381]: Client request from 10.1.0.212 was invalid, bailing out... [ edited nrpe.cfg:dont_blame_nrpe=1 ] In syslog: May 4 21:37:36 cmonb nrpe[6420]: Warning: Daemon is configured to accept command arguments from clients! ... May 4 21:37:52 cmonb nrpe[6442]: Running command: /usr/lib/nagios/plugins/check_procs -C syslogd -w 1 -c 0 May 4 21:37:52 cmonb nrpe[6442]: Command completed with return code 0 and output: PROCS OK: 0 processes with command name 'syslogd' | procs=0;1;0;0; May 4 21:37:52 cmonb nrpe[6442]: Return Code: 0, Output: PROCS OK: 0 processes with command name 'syslogd' | procs=0;1;0;0; -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
It may have facilitated the review (I took the time to look) were it mentioned that there is a warning in the sample configuration file e.g.: # *** ENABLING THIS OPTION IS A SECURITY RISK! *** # Read the SECURITY file for information on some of the security implications # of enabling this variable. # # Values: 0=do not allow arguments, 1=allow command arguments ** Changed in: nagios-nrpe (Ubuntu Zesty) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
xenial_lp1555258.debdiff ** Patch added: "xenial_lp1555258.debdiff" https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/+attachment/4871981/+files/xenial_lp1555258.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
zesty_nagiosnrpe_lp1555258_V2.debdiff - Change the version in debian/changelog from "3.0.1-3ubuntu0.17.04.1" to "3.0.1-3ubuntu0.17.04.1" ** Patch added: "zesty_nagiosnrpe_lp1555258_V2.debdiff" https://bugs.launchpad.net/ubuntu/yakkety/+source/nagios-nrpe/+bug/1555258/+attachment/4871011/+files/zesty_nagiosnrpe_lp1555258_V2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
zesty_nagiosnrpe_lp1555258.debdiff ** Patch added: "zesty_nagiosnrpe_lp1555258.debdiff" https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/+attachment/4870940/+files/zesty_nagiosnrpe_lp1555258.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
This bug was fixed in the package nagios-nrpe - 3.0.1-3ubuntu1 --- nagios-nrpe (3.0.1-3ubuntu1) artful; urgency=medium * debian/rules : Add "--enable-command-args". (LP: #1555258) This update enables the command-args support in nrpe by not ignoring option "dont_blame_nrpe=1". By default, the option is set as follow : "dont_blame_nrpe=0", which has the same effect of having the command-args support disabled at compile time like Debian does. Ubuntu has decided to deviate from Debian upstream for that particular case to allow/unblock the Ubuntu users of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. For more details as of why Debian has decided to disable the feature can be found in debian/NEWS. (closes: #756479) -- Eric DesrochersTue, 02 May 2017 08:32:36 -0400 ** Changed in: nagios-nrpe (Ubuntu Artful) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Excerpts from mynrpe-server's /var/log/syslog when running check_nrpe from mynagios-master (nrpe.cfg debug=1): Before install of xenial recompiled package: ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0 CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. May 1 20:20:06 mynrpe-server nrpe[83523]: Connection from 192.168.1.52 port 43186 May 1 20:20:06 mynrpe-server nrpe[83523]: Host address is in allowed_hosts May 1 20:20:06 mynrpe-server nrpe[83523]: Handling the connection... May 1 20:20:06 mynrpe-server nrpe[83523]: Error: Request contained command arguments! May 1 20:20:06 mynrpe-server nrpe[83523]: Client request was invalid, bailing out... After install of xenial recompiled package but nrpe.cfg dont_blame_nrpe=0 as installed (default): ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0 CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. May 1 20:22:02 mynrpe-server nrpe[84181]: Handling the connection... May 1 20:22:02 mynrpe-server nrpe[84181]: Error: Request contained command arguments, but argument option is not enabled! May 1 20:22:02 mynrpe-server nrpe[84181]: Client request was invalid, bailing out... After nrpe.cfg dont_blame_nrpe=1 (user is manually enabling command- args): May 1 20:23:31 mynrpe-server nrpe[84324]: Server listening on 0.0.0.0 port 5664. May 1 20:23:31 mynrpe-server nrpe[84324]: Server listening on :: port 5664. May 1 20:23:31 mynrpe-server nrpe[84324]: Warning: Daemon is configured to accept command arguments from clients! May 1 20:23:31 mynrpe-server nrpe[84324]: Listening for connections on port 0 May 1 20:23:31 mynrpe-server nrpe[84324]: Allowing connections from: 127.0.0.1,192.168.1.28,192.168.1.29,192.168.1.52 ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0 PROCS CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0; May 1 20:24:46 mynrpe-server nrpe[84858]: Running command: /usr/lib/nagios/plugins/check_procs -C rsyslogd -w 1 -c 0 May 1 20:24:46 mynrpe-server nrpe[84858]: Command completed with return code 2 and output: PROCS CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0; May 1 20:24:46 mynrpe-server nrpe[84858]: Return Code: 2, Output: PROCS CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0; -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Changed in: nagios-nrpe (Ubuntu Artful) Importance: Low => Medium ** Changed in: nagios-nrpe (Ubuntu Zesty) Importance: Low => Medium ** Changed in: nagios-nrpe (Ubuntu Yakkety) Importance: Low => Medium ** Changed in: nagios-nrpe (Ubuntu Xenial) Importance: Low => Medium ** Description changed: [Impact] * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon. - Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature. + Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature. * The expectation is for Ubuntu to deviate from Debian upstream - decision to accomodate Ubuntu Nagios users. + decision to accommodate Ubuntu Nagios users. + + * Doug's comment explain well the situation : + https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/comments/6 [0] - Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 [Test Case] * This require a Nagios environment setup (Server and at least 1 client) * Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a rsyslogd 1 0 CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. Server logs: nrpe[83523]: Connection from y.y.y.y port 43186 nrpe[83523]: Host address is in allowed_hosts nrpe[83523]: Handling the connection... ==> nrpe[83523]: Error: Request contained command arguments! ==> nrpe[83523]: Client request was invalid, bailing out.. [Regression Potential] * This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually. Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_nrpe=0". * For users using the default value "dont_blame_nrpe=0", so no behavioural change. With regard to the risk, I would say it is LOW. The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature. But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects. * For users choosing to manually enable this option, the risk is HIGHER, but we assume that before enabling this option the users are considering the PROS and CONS. * Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. * Canonical Security team feedbacks : https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9 ... If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362: ... * COMMAND ARGUMENTS NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing! https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments Note that Artful and Zesty already has the commit mentioned by Tyler : a/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS "|`&><'\\[]{};\r\n" z/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS "|`&><'\\[]{};\r\n" Thus, only Xenial and Yakkety requires it. x/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS "|`&><'\"\\[]{};" y/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS "|`&><'\"\\[]{};" - [Other Info] * CVE-2013-1362 : Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1 [Original Description] Ubuntu 15.10 (upgraded from 12.04) Have tried a full purged removal of nagios-nrpe-server and reinstall however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being ignored.
[Bug 1555258] Re: Request contained command arguments
artful_lp1555258.debdiff ** Patch added: "artful_lp1555258.debdiff" https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/+attachment/4870818/+files/artful_lp1555258.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Description changed: [Impact] * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon. Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature. * The expectation is for Ubuntu to deviate from Debian upstream decision to accomodate Ubuntu Nagios users. [0] - Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 [Test Case] * This require a Nagios environment setup (Server and at least 1 client) * Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a rsyslogd 1 0 CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. Server logs: nrpe[83523]: Connection from y.y.y.y port 43186 nrpe[83523]: Host address is in allowed_hosts nrpe[83523]: Handling the connection... ==> nrpe[83523]: Error: Request contained command arguments! ==> nrpe[83523]: Client request was invalid, bailing out.. [Regression Potential] * This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually. Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_nrpe=0". * For users using the default value "dont_blame_nrpe=0", so no behavioural change. With regard to the risk, I would say it is LOW. The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature. But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects. * For users choosing to manually enable this option, the risk is HIGHER, but we assume that before enabling this option the users are considering the PROS and CONS. * Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. * Canonical Security team feedbacks : https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9 ... If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362: ... * COMMAND ARGUMENTS NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing! https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments + Note that Artful and Zesty already has the commit mentioned by Tyler : + a/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS "|`&><'\\[]{};\r\n" + z/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS "|`&><'\\[]{};\r\n" + + Thus, only Xenial and Yakkety requires it. + x/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS "|`&><'\"\\[]{};" + y/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS "|`&><'\"\\[]{};" + + [Other Info] * CVE-2013-1362 : Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1 [Original Description] Ubuntu 15.10 (upgraded from 12.04) Have tried a full purged removal of nagios-nrpe-server and reinstall however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being ignored. /var/log/syslog reports: Mar 9 12:33:58 myhost nrpe[17153]: Error: Request contained command arguments! Mar 9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out... All checks of this box have stopped working since the upgrade and I would like to get to the bottom of why NRPE is not honoring my request to allow command arguments. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions --
[Bug 1555258] Re: Request contained command arguments
** Description changed: [Impact] * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon. Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature. * The expectation is for Ubuntu to deviate from Debian upstream decision to accomodate Ubuntu Nagios users. [0] - Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 [Test Case] * This require a Nagios environment setup (Server and at least 1 client) * Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a rsyslogd 1 0 CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. Server logs: nrpe[83523]: Connection from y.y.y.y port 43186 nrpe[83523]: Host address is in allowed_hosts nrpe[83523]: Handling the connection... ==> nrpe[83523]: Error: Request contained command arguments! ==> nrpe[83523]: Client request was invalid, bailing out.. [Regression Potential] * This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually. Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_nrpe=0". * For users using the default value "dont_blame_nrpe=0", so no behavioural change. With regard to the risk, I would say it is LOW. The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature. But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects. * For users choosing to manually enable this option, the risk is HIGHER, but we assume that before enabling this option the users are considering the PROS and CONS. * Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. * Canonical Security team feedbacks : https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9 ... If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362: ... - * COMMAND ARGUMENTS NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing! https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments [Other Info] * CVE-2013-1362 : Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. - https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md - #command-arguments + https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1 [Original Description] Ubuntu 15.10 (upgraded from 12.04) Have tried a full purged removal of nagios-nrpe-server and reinstall however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being ignored. /var/log/syslog reports: Mar 9 12:33:58 myhost nrpe[17153]: Error: Request contained command arguments! Mar 9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out... All checks of this box have stopped working since the upgrade and I would like to get to the bottom of why NRPE is not honoring my request to allow command arguments. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Description changed: [Impact] * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon. Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature. * The expectation is for Ubuntu to deviate from Debian upstream decision to accomodate Ubuntu Nagios users. [0] - Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 [Test Case] * This require a Nagios environment setup (Server and at least 1 client) * Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a rsyslogd 1 0 CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. Server logs: nrpe[83523]: Connection from y.y.y.y port 43186 nrpe[83523]: Host address is in allowed_hosts nrpe[83523]: Handling the connection... ==> nrpe[83523]: Error: Request contained command arguments! ==> nrpe[83523]: Client request was invalid, bailing out.. [Regression Potential] * This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually. Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_nrpe=0". * For users using the default value "dont_blame_nrpe=0", so no behavioural change. With regard to the risk, I would say it is LOW. The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature. But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects. * For users choosing to manually enable this option, the risk is HIGHER, but we assume that before enabling this option the users are considering the PROS and CONS. * Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. * Canonical Security team feedbacks : https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9 ... If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362: ... + Note, after verification : + Xenial, Yakkety and Zesty already has the above CVE point out by Tyler. + + * COMMAND ARGUMENTS NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing! https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments [Other Info] * CVE-2013-1362 : Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md #command-arguments [Original Description] Ubuntu 15.10 (upgraded from 12.04) Have tried a full purged removal of nagios-nrpe-server and reinstall however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being ignored. /var/log/syslog reports: Mar 9 12:33:58 myhost nrpe[17153]: Error: Request contained command arguments! Mar 9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out... All checks of this box have stopped working since the upgrade and I would like to get to the bottom of why NRPE is not honoring my request to allow command arguments. ** Description changed: [Impact] * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon. Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature. * The expectation is for Ubuntu to deviate from Debian upstream decision to accomodate Ubuntu Nagios users. [0] - Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 [Test Case] *
[Bug 1555258] Re: Request contained command arguments
** Description changed: + [Impact] + + * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon. +Debian disabled the option because there were concerns about security problems and that this feature is often used wrong [0] but there are Ubuntu users out there that know what they're doing and depend on this feature. + + * The expectation is for Ubuntu to deviate from Debian upstream + decision to accomodate Ubuntu Nagios users. + + [0] - Debian Bug: + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 + + [Test Case] + + * This require a Nagios environment setup (Server and at least 1 + client) + + * Command example run at server side using "dont_blame_nrpe" set to either 0 (false) or 1 (true) in nrpe.cfg + $ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a rsyslogd 1 0 + CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. + + May 1 20:20:06 nonrotatable-niki nrpe[83523]: Connection from 10.189.69.52 port 43186 + May 1 20:20:06 nonrotatable-niki nrpe[83523]: Host address is in allowed_hosts + May 1 20:20:06 nonrotatable-niki nrpe[83523]: Handling the connection... + ==> May 1 20:20:06 nonrotatable-niki nrpe[83523]: Error: Request contained command arguments! + ==> May 1 20:20:06 nonrotatable-niki nrpe[83523]: Client request was invalid, bailing out.. + + [Regression Potential] + + * This update enables the command-args (at compile time) support in nrpe by NOT ignoring option "dont_blame_nrpe=1" IFF set manually. +Note that by default, the option is DISABLE in the configuration file (nrpe.cfg) : "dont_blame_nrpe=0". + + * For users using the default value "dont_blame_nrpe=0", so no behavioural change. With regard to the risk, I would say it is LOW. +The option is disable by default meaning that it doesn't introduce any security risk for users that doesn't rely on this feature. +But it doesn't prevent the risk that non-experimented users enable the option without considering all the security risk aspects. + + * For users choosing to manually enable this option, the risk is HIGHER, but we assume that before enabling this option the users are considering the PROS and CONS. + + * Deviating from Debian upstream for that particular case will allow to unblock experimented Ubuntu users (who know what they are doing) of nrpe to make the choice for themselves whether to +accept the security risks that the feature involve by manually enabling command-args in nrpe.cfg or not. + + * Canonical Security team feedbacks : + https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9 + +... +If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362: +... + + * COMMAND ARGUMENTS +NRPE 2.0 includes the ability for clients to supply arguments to commands which should be run. Please note that this feature should be considered a security risk, and you should only use it if you know what you're doing! + https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments + + + [Other Info] + + + * CVE-2013-1362 : + https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments + + + [Original Description] + Ubuntu 15.10 (upgraded from 12.04) Have tried a full purged removal of nagios-nrpe-server and reinstall however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being ignored. /var/log/syslog reports: Mar 9 12:33:58 myhost nrpe[17153]: Error: Request contained command arguments! Mar 9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out... All checks of this box have stopped working since the upgrade and I would like to get to the bottom of why NRPE is not honoring my request to allow command arguments. ** Also affects: nagios-nrpe (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: nagios-nrpe (Ubuntu Artful) Importance: Undecided Status: Confirmed ** Also affects: nagios-nrpe (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: nagios-nrpe (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: nagios-nrpe (Ubuntu Xenial) Status: New => Confirmed ** Changed in: nagios-nrpe (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: nagios-nrpe (Ubuntu Zesty) Status: New => Confirmed ** Description changed: [Impact] - * Debian upstream maintainer decided to compile without "-enable-command-args" as describe in debian/NEWS file. This decision have the effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by not allowing command argument in the deamon. -Debian
[Bug 1555258] Re: Request contained command arguments
I feel like this would be acceptable, from a security standpoint, to enable at build time. It would be disabled by default and upstream makes it clear that it should only be enabled if you know what you're doing: https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md #command-arguments After reading bug reports and comments on social media, I have to assume that there are users out there that know what they're doing and depend on this feature. If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362: https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1 There's no need to take this change through the security pocket since the current package is not vulnerable to CVE-2013-1362. It can take the normal SRU route directly to the updates pocket. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-1362 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nagios-nrpe (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
I have reverted the release nomination approval for this bug until Ubuntu (e.g Foundation team, ~ubuntu-sru, ...) come up with a final official position with regard to comment #6 from my colleague Doug. Thanks ! ** No longer affects: nagios-nrpe (Ubuntu Zesty) ** No longer affects: nagios-nrpe (Ubuntu Yakkety) ** No longer affects: nagios-nrpe (Ubuntu Xenial) ** No longer affects: nagios-nrpe (Ubuntu Trusty) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Also affects: nagios-nrpe (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: nagios-nrpe (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: nagios-nrpe (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: nagios-nrpe (Ubuntu Trusty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Changed in: nagios-nrpe (Ubuntu) Status: Invalid => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
>From reading the Debian bug #756479 cited above, it appears there was considerable impact to users whose Nagios monitors depended on this feature when upgraded to 2.15. Some users of NRPE are customers of Canonical's, one of whom I support as a Dedicated Support Engineer. This customer would like to monitor its relatively new Ubuntu/Juju/Openstack clouds from its existing Nagios master which utilizes this feature for some of their check_nrpe calls. Would Canonical/Ubuntu reconsider Debian's decision with regard to the build for Ubuntu? This would allow customers to use Canonical-supported packages and make their own decision whether to accept the security risks of enabling the feature. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
** Changed in: nagios-nrpe (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
nagios-nrpe (2.15-1) has disabled command-args, and this feature won't be re-enabled in the foreseeable future. ** Also affects: nagios-nrpe (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 Importance: Unknown Status: Unknown ** Changed in: nagios-nrpe (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
This is the same issue https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/975918 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 ** Bug watch added: Debian Bug tracker #756479 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nagios-nrpe (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555258] Re: Request contained command arguments
I have the same problem, seems that debian removed the setting dont_blame_nrpe=1 http://metadata.ftp-master.debian.org/changelogs/main/n/nagios-nrpe /nagios-nrpe_2.15-1_changelog [eec54b6] Adjust README.Debian for the removal or argument processing Running Ubuntu 16.04 LTS nagios-nrpe-plugin 2.15-0ubuntu1 amd64 Nagios Remote Plugin Executor Plugin nagios-nrpe-server 2.15-1ubuntu1 amd64 Nagios Remote Plugin Executor Server -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs