diff --git a/.gitignore b/.gitignore index d0433b0..ae51679 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ nrpe-2.12.tar.gz /nrpe-2.12.tar.gz /nrpe-2.13.tar.gz /nrpe-2.14.tar.gz +/nrpe-2.15.tar.gz diff --git a/nrpe-0009-CVE-2014-2913-nasty-metacharacters.patch b/nrpe-0009-CVE-2014-2913-nasty-metacharacters.patch new file mode 100644 index 0000000..556f449 --- /dev/null +++ b/nrpe-0009-CVE-2014-2913-nasty-metacharacters.patch @@ -0,0 +1,13 @@ +diff --git b/src/nrpe.c a/src/nrpe.c +index 381f0ac..ad1e05d 100644 +--- b/src/nrpe.c ++++ a/src/nrpe.c +@@ -53,7 +53,7 @@ int use_ssl=FALSE; + + #define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */ + #define MAXFD 64 +-#define NASTY_METACHARS "|`&><'\"\\[]{};" ++#define NASTY_METACHARS "|`&><'\"\\[]{};\n" + #define howmany(x,y) (((x)+((y)-1))/(y)) + #define MAX_LISTEN_SOCKS 16 + diff --git a/nrpe.spec b/nrpe.spec index 6bbe376..a0f82f0 100644 --- a/nrpe.spec +++ b/nrpe.spec @@ -4,8 +4,8 @@ %define nsport 5666 Name: nrpe -Version: 2.14 -Release: 5%{?dist} +Version: 2.15 +Release: 2%{?dist} Summary: Host/service/network monitoring agent for Nagios Group: Applications/System @@ -23,6 +23,11 @@ Patch5: nrpe-0005-Do-not-start-by-default.patch Patch6: nrpe-0006-Relocate-pid-file.patch Patch7: nrpe-0007-Add-condrestart-try-restart-target-to-initscript.patch Patch8: nrpe-0008-Allow-user-to-override-all-defaults-even-command-def.patch +# This should get removed whenever 2.16 is released, assuming it has the fix +# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream +# concensus that quoting arguments in a mode which is widely agreed upon to be +# risky so track upstream discussions here, too. +Patch9: nrpe-0009-CVE-2014-2913-nasty-metacharacters.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -94,6 +99,8 @@ This package provides the nrpe plugin for Nagios-related applications. %patch6 -p1 -b .relocate_pid %patch7 -p1 -b .condrestart %patch8 -p1 -b .allow_override +%patch9 -p1 + # Allow building for aarch64 # https://bugzilla.redhat.com/926244 %if 0%{?fedora} > 17 || 0%{?rhel} > 6 @@ -192,6 +199,12 @@ fi %doc Changelog LEGAL README %changelog +* Thu May 1 2014 Sam Kottler - 2.15.2 +- Add patch to mitigate CVE-2014-2913 + +* Mon Jan 27 2014 Sam Kottler - 2.15.1 +- Update to 2.15 + * Wed Oct 16 2013 Peter Lemenkov - 2.14-5 - Allow building for aarch64 (rhbz #926244) - Allow user to redefine default commands (rhbz #963703) @@ -201,8 +214,8 @@ fi * Wed May 22 2013 Kevin Fenzi 2.14-3 - Apply patch from bug 860988 to handle RHEL versions and systemd -- Apply patch from bug 957567 to fix condrestart so nrpe restarts on upgrade. -- Rework systemd and service scriptlets and requires. +- Apply patch from bug 957567 to fix condrestart so nrpe restarts on upgrade. +- Rework systemd and service scriptlets and requires. - Harden Fedora 19+ builds * Thu Feb 14 2013 Fedora Release Engineering - 2.14-2 @@ -310,7 +323,7 @@ fi - Added proper SMP build flags - Added %{?dist} tag - Added reload to nrpe script -- Updated to 2.4, changes include: +- Updated to 2.4, changes include: - Added option to allow week random seed (Gerhard Lausser) - Added optional command line prefix (Sean Finney) - Added ability to reload config file with SIGHUP diff --git a/sources b/sources index fcbcf5f..34b9096 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -105857720e21674083a6d6be99e102c7 nrpe-2.14.tar.gz +3921ddc598312983f604541784b35a50 nrpe-2.15.tar.gz