I feel like this would be acceptable, from a security standpoint, to enable at build time. It would be disabled by default and upstream makes it clear that it should only be enabled if you know what you're doing:
https://github.com/NagiosEnterprises/nrpe/blob/master/SECURITY.md #command-arguments After reading bug reports and comments on social media, I have to assume that there are users out there that know what they're doing and depend on this feature. If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362: https://github.com/NagiosEnterprises/nrpe/commit/5bf9b2047f8e9a8609c3b95b2e655368765e4dd1 There's no need to take this change through the security pocket since the current package is not vulnerable to CVE-2013-1362. It can take the normal SRU route directly to the updates pocket. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-1362 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555258 Title: Request contained command arguments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1555258/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
