[Bug 1555258] Re: Request contained command arguments

[Launchpad Bug Tracker]

This bug was fixed in the package nagios-nrpe - 2.15-1ubuntu3

---
nagios-nrpe (2.15-1ubuntu3) yakkety; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
This update enables the command-args support in nrpe
by not ignoring option "dont_blame_nrpe=1". By default,
the option is set as follow : "dont_blame_nrpe=0", which
has the same effect of having the command-args support
disabled at compile time like Debian does. Ubuntu has decided
to deviate from Debian upstream for that particular case to
allow/unblock the Ubuntu users of nrpe to make the choice for
themselves whether to accept the security risks that the feature
involve by manually enabling command-args in nrpe.cfg or not.
For more details as of why Debian has decided to disable the
feature can be found in debian/NEWS. (closes: #756479)

  * [5bf9b20] Add 10_remote_execution_exploit_fix.dpatch patch (LP: #1555258)
As requested by the security team.

 -- Eric Desrochers   Mon, 08 May 2017
08:01:10 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Launchpad Bug Tracker]

This bug was fixed in the package nagios-nrpe - 2.15-1ubuntu1.1

---
nagios-nrpe (2.15-1ubuntu1.1) xenial; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
This update enables the command-args support in nrpe
by not ignoring option "dont_blame_nrpe=1". By default,
the option is set as follow : "dont_blame_nrpe=0", which
has the same effect of having the command-args support
disabled at compile time like Debian does. Ubuntu has decided
to deviate from Debian upstream for that particular case to
allow/unblock the Ubuntu users of nrpe to make the choice for
themselves whether to accept the security risks that the feature
involve by manually enabling command-args in nrpe.cfg or not.
For more details as of why Debian has decided to disable the
feature can be found in debian/NEWS. (closes: #756479)

  * [5bf9b20] Add 10_remote_execution_exploit_fix.dpatch patch (LP: #1555258)
As requested by the security team.

 -- Eric Desrochers   Tue, 02 May 2017
14:21:47 -0400

** Changed in: nagios-nrpe (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

** Changed in: nagios-nrpe (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Launchpad Bug Tracker]

This bug was fixed in the package nagios-nrpe - 3.0.1-3ubuntu0.17.04.1

---
nagios-nrpe (3.0.1-3ubuntu0.17.04.1) zesty; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
This update enables the command-args support in nrpe
by not ignoring option "dont_blame_nrpe=1". By default,
the option is set as follow : "dont_blame_nrpe=0", which
has the same effect of having the command-args support
disabled at compile time like Debian does. Ubuntu has decided
to deviate from Debian upstream for that particular case to
allow/unblock the Ubuntu users of nrpe to make the choice for
themselves whether to accept the security risks that the feature
involve by manually enabling command-args in nrpe.cfg or not.
For more details as of why Debian has decided to disable the
feature can be found in debian/NEWS. (closes: #756479)

 -- Eric Desrochers   Tue, 02 May 2017
09:09:29 -0400

** Changed in: nagios-nrpe (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

Thanks François Blondel for the feedbacks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[François Blondel]

Also tested nagios-nrpe-server 2.15-1ubuntu1.1 on xenial, works as
expected, same as in comment #18.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Changed in: nagios-nrpe (Ubuntu Xenial)
   Status: Fix Released => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[François Blondel]

Sorry, misclicked myself, but i haven't the rights to revert my change
:(


** Changed in: nagios-nrpe (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

Thanks Doug for the testing on all affected stable releases.

** Tags removed: sts verification-needed
** Tags added: verification-done-xenial verification-done-yakkety

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Doug Parrish]

tested nagios-nrpe-server
  2.15-1ubuntu3 on yakkety
  2.15-1ubuntu1.1 on xenial

Both tests yielded same result as described in comment #18, i.e.
positive, as intended.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Łukasz Zemczak]

Hello Michael, or anyone else affected,

Accepted nagios-nrpe into yakkety-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/nagios-
nrpe/2.15-1ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: nagios-nrpe (Ubuntu Yakkety)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

** Changed in: nagios-nrpe (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

yakkety_lp1555258.debdiff

** Patch added: "yakkety_lp1555258.debdiff"
   
https://bugs.launchpad.net/ubuntu/yakkety/+source/nagios-nrpe/+bug/1555258/+attachment/4873442/+files/yakkety_lp1555258.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Tags removed: verification-needed
** Tags added: verification-done-zesty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Doug Parrish]

Tested 3.0.1-3ubuntu0.17.04.1 on zesty with positive result.

nrpe.cfg:dont_blame_nrpe=0  [ is set this way as part of install - no
editing done ]

In syslog:
May  4 21:36:18 cmonb nrpe[6381]: Error: Request contained command arguments, 
but argument option is not enabled!
May  4 21:36:18 cmonb nrpe[6381]: Client request from 10.1.0.212 was invalid, 
bailing out...


[ edited nrpe.cfg:dont_blame_nrpe=1 ]

In syslog:
May  4 21:37:36 cmonb nrpe[6420]: Warning: Daemon is configured to accept 
command arguments from clients!
...
May  4 21:37:52 cmonb nrpe[6442]: Running command: 
/usr/lib/nagios/plugins/check_procs -C syslogd -w 1 -c 0
May  4 21:37:52 cmonb nrpe[6442]: Command completed with return code 0 and 
output: PROCS OK: 0 processes with command name 'syslogd' | procs=0;1;0;0;
May  4 21:37:52 cmonb nrpe[6442]: Return Code: 0, Output: PROCS OK: 0 processes 
with command name 'syslogd' | procs=0;1;0;0;

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Brian Murray]

It may have facilitated the review (I took the time to look) were it
mentioned that there is a warning in the sample configuration file e.g.:

# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments


** Changed in: nagios-nrpe (Ubuntu Zesty)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

xenial_lp1555258.debdiff

** Patch added: "xenial_lp1555258.debdiff"
   
https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/+attachment/4871981/+files/xenial_lp1555258.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

zesty_nagiosnrpe_lp1555258_V2.debdiff

- Change the version in debian/changelog from "3.0.1-3ubuntu0.17.04.1"
to "3.0.1-3ubuntu0.17.04.1"

** Patch added: "zesty_nagiosnrpe_lp1555258_V2.debdiff"
   
https://bugs.launchpad.net/ubuntu/yakkety/+source/nagios-nrpe/+bug/1555258/+attachment/4871011/+files/zesty_nagiosnrpe_lp1555258_V2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

zesty_nagiosnrpe_lp1555258.debdiff

** Patch added: "zesty_nagiosnrpe_lp1555258.debdiff"
   
https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/+attachment/4870940/+files/zesty_nagiosnrpe_lp1555258.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Launchpad Bug Tracker]

This bug was fixed in the package nagios-nrpe - 3.0.1-3ubuntu1

---
nagios-nrpe (3.0.1-3ubuntu1) artful; urgency=medium

  * debian/rules : Add "--enable-command-args". (LP: #1555258)
This update enables the command-args support in nrpe
by not ignoring option "dont_blame_nrpe=1". By default,
the option is set as follow : "dont_blame_nrpe=0", which
has the same effect of having the command-args support
disabled at compile time like Debian does. Ubuntu has decided
to deviate from Debian upstream for that particular case to
allow/unblock the Ubuntu users of nrpe to make the choice for
themselves whether to accept the security risks that the feature
involve by manually enabling command-args in nrpe.cfg or not.
For more details as of why Debian has decided to disable the
feature can be found in debian/NEWS. (closes: #756479)

 -- Eric Desrochers   Tue, 02 May 2017
08:32:36 -0400

** Changed in: nagios-nrpe (Ubuntu Artful)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Doug Parrish]

Excerpts from mynrpe-server's /var/log/syslog when running check_nrpe
from mynagios-master (nrpe.cfg debug=1):

Before install of xenial recompiled package:

ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 
192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0
CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for 
error messages.


May  1 20:20:06 mynrpe-server nrpe[83523]: Connection from 192.168.1.52 port 
43186
May  1 20:20:06 mynrpe-server nrpe[83523]: Host address is in allowed_hosts
May  1 20:20:06 mynrpe-server nrpe[83523]: Handling the connection...
May  1 20:20:06 mynrpe-server nrpe[83523]: Error: Request contained command 
arguments!
May  1 20:20:06 mynrpe-server nrpe[83523]: Client request was invalid, bailing 
out...


After install of xenial recompiled package but nrpe.cfg
dont_blame_nrpe=0 as installed (default):

ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 
192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0
CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for 
error messages.


May  1 20:22:02 mynrpe-server nrpe[84181]: Handling the connection...
May  1 20:22:02 mynrpe-server nrpe[84181]: Error: Request contained command 
arguments, but argument option is not enabled!
May  1 20:22:02 mynrpe-server nrpe[84181]: Client request was invalid, bailing 
out...


After nrpe.cfg dont_blame_nrpe=1 (user is manually enabling command-
args):

May  1 20:23:31 mynrpe-server nrpe[84324]: Server listening on 0.0.0.0 port 
5664.
May  1 20:23:31 mynrpe-server nrpe[84324]: Server listening on :: port 5664.
May  1 20:23:31 mynrpe-server nrpe[84324]: Warning: Daemon is configured to 
accept command arguments from clients!
May  1 20:23:31 mynrpe-server nrpe[84324]: Listening for connections on port 0
May  1 20:23:31 mynrpe-server nrpe[84324]: Allowing connections from: 
127.0.0.1,192.168.1.28,192.168.1.29,192.168.1.52


ubuntu@mynagios-master:~$ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H 
192.168.1.12 -p 5664 -c check_procs -a rsyslogd 1 0
PROCS CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0;


May  1 20:24:46 mynrpe-server nrpe[84858]: Running command: 
/usr/lib/nagios/plugins/check_procs -C rsyslogd -w 1 -c 0
May  1 20:24:46 mynrpe-server nrpe[84858]: Command completed with return code 2 
and output: PROCS CRITICAL: 1 process with command name 'rsyslogd' | 
procs=1;1;0;0;
May  1 20:24:46 mynrpe-server nrpe[84858]: Return Code: 2, Output: PROCS 
CRITICAL: 1 process with command name 'rsyslogd' | procs=1;1;0;0;

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Changed in: nagios-nrpe (Ubuntu Artful)
   Importance: Low => Medium

** Changed in: nagios-nrpe (Ubuntu Zesty)
   Importance: Low => Medium

** Changed in: nagios-nrpe (Ubuntu Yakkety)
   Importance: Low => Medium

** Changed in: nagios-nrpe (Ubuntu Xenial)
   Importance: Low => Medium

** Description changed:

  [Impact]
  
   * Debian upstream maintainer decided to compile without 
"-enable-command-args" as describe in debian/NEWS file. This decision have the 
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by 
not allowing command argument in the deamon.
-    Debian disabled the option because there were concerns about security 
problems and that this feature is often used wrong [0] but there are Ubuntu 
users out there that know what they're doing and depend on this feature.
+ Debian disabled the option because there were concerns about security 
problems and that this feature is often used wrong [0] but there are Ubuntu 
users out there that know what they're doing and depend on this feature.
  
   * The expectation is for Ubuntu to deviate from Debian upstream
- decision to accomodate Ubuntu Nagios users.
+ decision to accommodate Ubuntu Nagios users.
+ 
+ * Doug's comment explain well the situation :
+ 
https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/comments/6
  
  [0] - Debian Bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
  
  [Test Case]
  
   * This require a Nagios environment setup (Server and at least 1
  client)
  
   * Command example run at server side using "dont_blame_nrpe" set to either 0 
(false) or 1 (true) in nrpe.cfg
  $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a 
rsyslogd 1 0
  CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for 
error messages.
  
  Server logs:
  nrpe[83523]: Connection from y.y.y.y port 43186
  nrpe[83523]: Host address is in allowed_hosts
  nrpe[83523]: Handling the connection...
  ==> nrpe[83523]: Error: Request contained command arguments!
  ==> nrpe[83523]: Client request was invalid, bailing out..
  
  [Regression Potential]
  
   * This update enables the command-args (at compile time) support in nrpe by 
NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
     Note that by default, the option is DISABLE in the configuration file 
(nrpe.cfg) : "dont_blame_nrpe=0".
  
   * For users using the default value "dont_blame_nrpe=0", so no behavioural 
change. With regard to the risk, I would say it is LOW.
     The option is disable by default meaning that it doesn't introduce any 
security risk for users that doesn't rely on this feature.
     But it doesn't prevent the risk that non-experimented users enable the 
option without considering all the security risk aspects.
  
   * For users choosing to manually enable this option, the risk is
  HIGHER, but we assume that before enabling this option the users are
  considering the PROS and CONS.
  
   * Deviating from Debian upstream for that particular case will allow to 
unblock experimented Ubuntu users (who know what they are doing) of nrpe to 
make the choice for themselves whether to
     accept the security risks that the feature involve by manually enabling 
command-args in nrpe.cfg or not.
  
   * Canonical Security team feedbacks :
     
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9
  
     ...
     If this feature is enabled in an SRU, the upload must include the fix for 
CVE-2013-1362:
     ...
  
   * COMMAND ARGUMENTS
     NRPE 2.0 includes the ability for clients to supply arguments to commands 
which should be run. Please note that this feature should be considered a 
security risk, and you should only use it if you know what you're doing!
     
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments
  
  Note that Artful and Zesty already has the commit mentioned by Tyler :
  a/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\\[]{};\r\n"
  z/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\\[]{};\r\n"
  
  Thus, only Xenial and Yakkety requires it.
  x/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS 
"|`&><'\"\\[]{};"
  y/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS 
"|`&><'\"\\[]{};"
  
- 
  [Other Info]
  
  * CVE-2013-1362 :
  
  Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
  Executor (NRPE) before 2.14 might allow remote attackers to execute
  arbitrary shell commands via "$()" shell metacharacters, which are
  processed by bash.
  
  
https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1
  
  [Original Description]
  
  Ubuntu 15.10 (upgraded from 12.04)
  
  Have tried a full purged removal of nagios-nrpe-server and reinstall
  however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being
  ignored.
  
  

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

artful_lp1555258.debdiff

** Patch added: "artful_lp1555258.debdiff"
   
https://bugs.launchpad.net/ubuntu/xenial/+source/nagios-nrpe/+bug/1555258/+attachment/4870818/+files/artful_lp1555258.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Description changed:

  [Impact]
  
   * Debian upstream maintainer decided to compile without 
"-enable-command-args" as describe in debian/NEWS file. This decision have the 
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by 
not allowing command argument in the deamon.
     Debian disabled the option because there were concerns about security 
problems and that this feature is often used wrong [0] but there are Ubuntu 
users out there that know what they're doing and depend on this feature.
  
   * The expectation is for Ubuntu to deviate from Debian upstream
  decision to accomodate Ubuntu Nagios users.
  
  [0] - Debian Bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
  
  [Test Case]
  
   * This require a Nagios environment setup (Server and at least 1
  client)
  
   * Command example run at server side using "dont_blame_nrpe" set to either 0 
(false) or 1 (true) in nrpe.cfg
  $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a 
rsyslogd 1 0
  CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for 
error messages.
  
  Server logs:
  nrpe[83523]: Connection from y.y.y.y port 43186
  nrpe[83523]: Host address is in allowed_hosts
  nrpe[83523]: Handling the connection...
  ==> nrpe[83523]: Error: Request contained command arguments!
  ==> nrpe[83523]: Client request was invalid, bailing out..
  
  [Regression Potential]
  
   * This update enables the command-args (at compile time) support in nrpe by 
NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
     Note that by default, the option is DISABLE in the configuration file 
(nrpe.cfg) : "dont_blame_nrpe=0".
  
   * For users using the default value "dont_blame_nrpe=0", so no behavioural 
change. With regard to the risk, I would say it is LOW.
     The option is disable by default meaning that it doesn't introduce any 
security risk for users that doesn't rely on this feature.
     But it doesn't prevent the risk that non-experimented users enable the 
option without considering all the security risk aspects.
  
   * For users choosing to manually enable this option, the risk is
  HIGHER, but we assume that before enabling this option the users are
  considering the PROS and CONS.
  
   * Deviating from Debian upstream for that particular case will allow to 
unblock experimented Ubuntu users (who know what they are doing) of nrpe to 
make the choice for themselves whether to
     accept the security risks that the feature involve by manually enabling 
command-args in nrpe.cfg or not.
  
   * Canonical Security team feedbacks :
     
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9
  
     ...
     If this feature is enabled in an SRU, the upload must include the fix for 
CVE-2013-1362:
     ...
  
   * COMMAND ARGUMENTS
     NRPE 2.0 includes the ability for clients to supply arguments to commands 
which should be run. Please note that this feature should be considered a 
security risk, and you should only use it if you know what you're doing!
     
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments
  
+ Note that Artful and Zesty already has the commit mentioned by Tyler :
+ a/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\\[]{};\r\n"
+ z/nagios-nrpe-3.0.1/src/nrpe.c:#define NASTY_METACHARS
"|`&><'\\[]{};\r\n"
+ 
+ Thus, only Xenial and Yakkety requires it.
+ x/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS 
"|`&><'\"\\[]{};"
+ y/nagios-nrpe-2.15/src/nrpe.c:#define NASTY_METACHARS 
"|`&><'\"\\[]{};"
+ 
+ 
  [Other Info]
  
  * CVE-2013-1362 :
  
  Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
  Executor (NRPE) before 2.14 might allow remote attackers to execute
  arbitrary shell commands via "$()" shell metacharacters, which are
  processed by bash.
  
  
https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1
  
  [Original Description]
  
  Ubuntu 15.10 (upgraded from 12.04)
  
  Have tried a full purged removal of nagios-nrpe-server and reinstall
  however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being
  ignored.
  
  /var/log/syslog reports:
  
  Mar  9 12:33:58 myhost nrpe[17153]: Error: Request contained command 
arguments!
  Mar  9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...
  
  All checks of this box have stopped working since the upgrade and I
  would like to get to the bottom of why NRPE is not honoring my request
  to allow command arguments.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Description changed:

  [Impact]
  
   * Debian upstream maintainer decided to compile without 
"-enable-command-args" as describe in debian/NEWS file. This decision have the 
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by 
not allowing command argument in the deamon.
     Debian disabled the option because there were concerns about security 
problems and that this feature is often used wrong [0] but there are Ubuntu 
users out there that know what they're doing and depend on this feature.
  
   * The expectation is for Ubuntu to deviate from Debian upstream
  decision to accomodate Ubuntu Nagios users.
  
  [0] - Debian Bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
  
  [Test Case]
  
   * This require a Nagios environment setup (Server and at least 1
  client)
  
   * Command example run at server side using "dont_blame_nrpe" set to either 0 
(false) or 1 (true) in nrpe.cfg
  $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a 
rsyslogd 1 0
  CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for 
error messages.
  
  Server logs:
  nrpe[83523]: Connection from y.y.y.y port 43186
  nrpe[83523]: Host address is in allowed_hosts
  nrpe[83523]: Handling the connection...
  ==> nrpe[83523]: Error: Request contained command arguments!
  ==> nrpe[83523]: Client request was invalid, bailing out..
  
  [Regression Potential]
  
   * This update enables the command-args (at compile time) support in nrpe by 
NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
     Note that by default, the option is DISABLE in the configuration file 
(nrpe.cfg) : "dont_blame_nrpe=0".
  
   * For users using the default value "dont_blame_nrpe=0", so no behavioural 
change. With regard to the risk, I would say it is LOW.
     The option is disable by default meaning that it doesn't introduce any 
security risk for users that doesn't rely on this feature.
     But it doesn't prevent the risk that non-experimented users enable the 
option without considering all the security risk aspects.
  
   * For users choosing to manually enable this option, the risk is
  HIGHER, but we assume that before enabling this option the users are
  considering the PROS and CONS.
  
   * Deviating from Debian upstream for that particular case will allow to 
unblock experimented Ubuntu users (who know what they are doing) of nrpe to 
make the choice for themselves whether to
     accept the security risks that the feature involve by manually enabling 
command-args in nrpe.cfg or not.
  
   * Canonical Security team feedbacks :
     
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9
  
     ...
     If this feature is enabled in an SRU, the upload must include the fix for 
CVE-2013-1362:
     ...
  
- 
   * COMMAND ARGUMENTS
     NRPE 2.0 includes the ability for clients to supply arguments to commands 
which should be run. Please note that this feature should be considered a 
security risk, and you should only use it if you know what you're doing!
     
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments
  
  [Other Info]
  
  * CVE-2013-1362 :
  
  Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
  Executor (NRPE) before 2.14 might allow remote attackers to execute
  arbitrary shell commands via "$()" shell metacharacters, which are
  processed by bash.
  
- https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md
- #command-arguments
+ 
https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1
  
  [Original Description]
  
  Ubuntu 15.10 (upgraded from 12.04)
  
  Have tried a full purged removal of nagios-nrpe-server and reinstall
  however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being
  ignored.
  
  /var/log/syslog reports:
  
  Mar  9 12:33:58 myhost nrpe[17153]: Error: Request contained command 
arguments!
  Mar  9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...
  
  All checks of this box have stopped working since the upgrade and I
  would like to get to the bottom of why NRPE is not honoring my request
  to allow command arguments.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Description changed:

  [Impact]
  
   * Debian upstream maintainer decided to compile without 
"-enable-command-args" as describe in debian/NEWS file. This decision have the 
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by 
not allowing command argument in the deamon.
     Debian disabled the option because there were concerns about security 
problems and that this feature is often used wrong [0] but there are Ubuntu 
users out there that know what they're doing and depend on this feature.
  
   * The expectation is for Ubuntu to deviate from Debian upstream
  decision to accomodate Ubuntu Nagios users.
  
  [0] - Debian Bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
  
  [Test Case]
  
   * This require a Nagios environment setup (Server and at least 1
  client)
  
   * Command example run at server side using "dont_blame_nrpe" set to either 0 
(false) or 1 (true) in nrpe.cfg
  $ /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c check_procs -a 
rsyslogd 1 0
  CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for 
error messages.
  
  Server logs:
  nrpe[83523]: Connection from y.y.y.y port 43186
  nrpe[83523]: Host address is in allowed_hosts
  nrpe[83523]: Handling the connection...
  ==> nrpe[83523]: Error: Request contained command arguments!
  ==> nrpe[83523]: Client request was invalid, bailing out..
  
  [Regression Potential]
  
   * This update enables the command-args (at compile time) support in nrpe by 
NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
     Note that by default, the option is DISABLE in the configuration file 
(nrpe.cfg) : "dont_blame_nrpe=0".
  
   * For users using the default value "dont_blame_nrpe=0", so no behavioural 
change. With regard to the risk, I would say it is LOW.
     The option is disable by default meaning that it doesn't introduce any 
security risk for users that doesn't rely on this feature.
     But it doesn't prevent the risk that non-experimented users enable the 
option without considering all the security risk aspects.
  
   * For users choosing to manually enable this option, the risk is
  HIGHER, but we assume that before enabling this option the users are
  considering the PROS and CONS.
  
   * Deviating from Debian upstream for that particular case will allow to 
unblock experimented Ubuntu users (who know what they are doing) of nrpe to 
make the choice for themselves whether to
     accept the security risks that the feature involve by manually enabling 
command-args in nrpe.cfg or not.
  
   * Canonical Security team feedbacks :
     
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9
  
     ...
     If this feature is enabled in an SRU, the upload must include the fix for 
CVE-2013-1362:
     ...
  
+ Note, after verification :
+ Xenial, Yakkety and Zesty already has the above CVE point out by Tyler.
+ 
+ 
   * COMMAND ARGUMENTS
     NRPE 2.0 includes the ability for clients to supply arguments to commands 
which should be run. Please note that this feature should be considered a 
security risk, and you should only use it if you know what you're doing!
     
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments
  
  [Other Info]
  
  * CVE-2013-1362 :
  
  Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
  Executor (NRPE) before 2.14 might allow remote attackers to execute
  arbitrary shell commands via "$()" shell metacharacters, which are
  processed by bash.
  
  https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md
  #command-arguments
  
  [Original Description]
  
  Ubuntu 15.10 (upgraded from 12.04)
  
  Have tried a full purged removal of nagios-nrpe-server and reinstall
  however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being
  ignored.
  
  /var/log/syslog reports:
  
  Mar  9 12:33:58 myhost nrpe[17153]: Error: Request contained command 
arguments!
  Mar  9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...
  
  All checks of this box have stopped working since the upgrade and I
  would like to get to the bottom of why NRPE is not honoring my request
  to allow command arguments.

** Description changed:

  [Impact]
  
   * Debian upstream maintainer decided to compile without 
"-enable-command-args" as describe in debian/NEWS file. This decision have the 
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by 
not allowing command argument in the deamon.
     Debian disabled the option because there were concerns about security 
problems and that this feature is often used wrong [0] but there are Ubuntu 
users out there that know what they're doing and depend on this feature.
  
   * The expectation is for Ubuntu to deviate from Debian upstream
  decision to accomodate Ubuntu Nagios users.
  
  [0] - Debian Bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
  
  [Test Case]
  
   * 

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Description changed:

+ [Impact]
+ 
+  * Debian upstream maintainer decided to compile without 
"-enable-command-args" as describe in debian/NEWS file. This decision have the 
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by 
not allowing command argument in the deamon.
+Debian disabled the option because there were concerns about security 
problems and that this feature is often used wrong [0] but there are Ubuntu 
users out there that know what they're doing and depend on this feature.
+ 
+  * The expectation is for Ubuntu to deviate from Debian upstream
+ decision to accomodate Ubuntu Nagios users.
+ 
+ [0] - Debian Bug:
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
+ 
+ [Test Case]
+ 
+  * This require a Nagios environment setup (Server and at least 1
+ client)
+ 
+  * Command example run at server side using "dont_blame_nrpe" set to either 0 
(false) or 1 (true) in nrpe.cfg 
+ $ sudo -unagios /usr/lib/nagios/plugins/check_nrpe -H x.x.x.x -p 5664 -c 
check_procs -a rsyslogd 1 0
+ CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for 
error messages.
+ 
+ May  1 20:20:06 nonrotatable-niki nrpe[83523]: Connection from 10.189.69.52 
port 43186
+ May  1 20:20:06 nonrotatable-niki nrpe[83523]: Host address is in 
allowed_hosts
+ May  1 20:20:06 nonrotatable-niki nrpe[83523]: Handling the connection...
+ ==> May  1 20:20:06 nonrotatable-niki nrpe[83523]: Error: Request contained 
command arguments!
+ ==> May  1 20:20:06 nonrotatable-niki nrpe[83523]: Client request was 
invalid, bailing out..
+ 
+ [Regression Potential]
+ 
+  * This update enables the command-args (at compile time) support in nrpe by 
NOT ignoring option "dont_blame_nrpe=1" IFF set manually.
+Note that by default, the option is DISABLE in the configuration file 
(nrpe.cfg) : "dont_blame_nrpe=0".
+ 
+  * For users using the default value "dont_blame_nrpe=0", so no behavioural 
change. With regard to the risk, I would say it is LOW. 
+The option is disable by default meaning that it doesn't introduce any 
security risk for users that doesn't rely on this feature.
+But it doesn't prevent the risk that non-experimented users enable the 
option without considering all the security risk aspects.
+  
+  * For users choosing to manually enable this option, the risk is HIGHER, but 
we assume that before enabling this option the users are considering the PROS 
and CONS.
+ 
+  * Deviating from Debian upstream for that particular case will allow to 
unblock experimented Ubuntu users (who know what they are doing) of nrpe to 
make the choice for themselves whether to 
+accept the security risks that the feature involve by manually enabling 
command-args in nrpe.cfg or not.
+ 
+  * Canonical Security team feedbacks :
+
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/comments/9
+ 
+...
+If this feature is enabled in an SRU, the upload must include the fix for 
CVE-2013-1362:
+...
+ 
+  * COMMAND ARGUMENTS
+NRPE 2.0 includes the ability for clients to supply arguments to commands 
which should be run. Please note that this feature should be considered a 
security risk, and you should only use it if you know what you're doing!
+
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments
+ 
+ 
+ [Other Info]
+  
+ 
+ * CVE-2013-1362 :
+ 
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md#command-arguments
+ 
+ 
+ [Original Description]
+ 
  Ubuntu 15.10 (upgraded from 12.04)
  
  Have tried a full purged removal of nagios-nrpe-server and reinstall
  however the "dont_blame_nrpe=1" setting in nrpe.cfg is still being
  ignored.
  
  /var/log/syslog reports:
  
  Mar  9 12:33:58 myhost nrpe[17153]: Error: Request contained command 
arguments!
  Mar  9 12:33:58 myhost nrpe[17153]: Client request was invalid, bailing out...
  
  All checks of this box have stopped working since the upgrade and I
  would like to get to the bottom of why NRPE is not honoring my request
  to allow command arguments.

** Also affects: nagios-nrpe (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: nagios-nrpe (Ubuntu Artful)
   Importance: Undecided
   Status: Confirmed

** Also affects: nagios-nrpe (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: nagios-nrpe (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: nagios-nrpe (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: nagios-nrpe (Ubuntu Yakkety)
   Status: New => Confirmed

** Changed in: nagios-nrpe (Ubuntu Zesty)
   Status: New => Confirmed

** Description changed:

  [Impact]
  
-  * Debian upstream maintainer decided to compile without 
"-enable-command-args" as describe in debian/NEWS file. This decision have the 
effect of ignoring the following directive : "dont_blame_nrpe=1" in nrpe.cfg by 
not allowing command argument in the deamon.
-Debian 

[Bug 1555258] Re: Request contained command arguments

[Tyler Hicks]

I feel like this would be acceptable, from a security standpoint, to
enable at build time. It would be disabled by default and upstream makes
it clear that it should only be enabled if you know what you're doing:

  https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md
#command-arguments

After reading bug reports and comments on social media, I have to assume
that there are users out there that know what they're doing and depend
on this feature.

If this feature is enabled in an SRU, the upload must include the fix
for CVE-2013-1362:

https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1

There's no need to take this change through the security pocket since
the current package is not vulnerable to CVE-2013-1362. It can take the
normal SRU route directly to the updates pocket.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1362

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: nagios-nrpe (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

I have reverted the release nomination approval for this bug until
Ubuntu (e.g Foundation team, ~ubuntu-sru, ...) come up with a final
official position with regard to comment #6 from my colleague Doug.

Thanks !

** No longer affects: nagios-nrpe (Ubuntu Zesty)

** No longer affects: nagios-nrpe (Ubuntu Yakkety)

** No longer affects: nagios-nrpe (Ubuntu Xenial)

** No longer affects: nagios-nrpe (Ubuntu Trusty)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Eric Desrochers]

** Also affects: nagios-nrpe (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: nagios-nrpe (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: nagios-nrpe (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: nagios-nrpe (Ubuntu Trusty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Jorge Niedbalski]

** Changed in: nagios-nrpe (Ubuntu)
   Status: Invalid => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Doug Parrish]

>From reading the Debian bug #756479 cited above, it appears there was
considerable impact to users whose Nagios monitors depended on this
feature when upgraded to 2.15.  Some users of NRPE are customers of
Canonical's, one of whom I support as a Dedicated Support Engineer.
This customer would like to monitor its relatively new
Ubuntu/Juju/Openstack clouds from its existing Nagios master which
utilizes this feature for some of their check_nrpe calls.  Would
Canonical/Ubuntu reconsider Debian's decision with regard to the build
for Ubuntu?  This would allow customers to use Canonical-supported
packages and make their own decision whether to accept the security
risks of enabling the feature.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Bug Watch Updater]

** Changed in: nagios-nrpe (Debian)
   Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Bas Couwenberg]

nagios-nrpe (2.15-1) has disabled command-args, and this feature won't
be re-enabled in the foreseeable future.

** Also affects: nagios-nrpe (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479
   Importance: Unknown
   Status: Unknown

** Changed in: nagios-nrpe (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Junkern]

This is the same issue
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/975918

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Junkern]

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479

** Bug watch added: Debian Bug tracker #756479
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756479

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: nagios-nrpe (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555258] Re: Request contained command arguments

[Junkern]

I have the same problem, seems that debian removed the setting
dont_blame_nrpe=1

http://metadata.ftp-master.debian.org/changelogs/main/n/nagios-nrpe
/nagios-nrpe_2.15-1_changelog

[eec54b6] Adjust README.Debian for the removal or argument processing


Running Ubuntu 16.04 LTS
nagios-nrpe-plugin 2.15-0ubuntu1   amd64
Nagios Remote Plugin Executor Plugin
nagios-nrpe-server 2.15-1ubuntu1   amd64
Nagios Remote Plugin Executor Server

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555258

Title:
  Request contained command arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs