openSUSE-SU-2013:0621-1 -- Suse NRPEID: oval:org.secpod.oval:def:400525 | Date: (C)2013-04-09 (M)2021-09-11 |
Class: PATCH | Family: unix |
NRPE allows the passing of $ to plugins/scripts which, if run under bash, will execute that shell command under a subprocess and pass the output as a parameter to the called script. Using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid that NRPE/nagios is running as . With this update NRPE will deny remote requests containing a bash command substitution.
Platform: |
openSUSE 12.2 |
openSUSE 12.1 |