From 527f50696c772d5252da0f5939032a8fac8cce50 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Elan=20Ruusam=C3=A4e?= Date: Wed, 7 Sep 2016 15:14:20 +0300 Subject: [PATCH] up to 3.0 --- CVE-2014-2913-nasty-metacharacters.patch | 18 -------------- commands.cfg | 18 +++++++------- nagios-nrpe-config.patch | 31 +++++++++++------------- nagios-nrpe.spec | 10 +++----- 4 files changed, 27 insertions(+), 50 deletions(-) delete mode 100644 CVE-2014-2913-nasty-metacharacters.patch diff --git a/CVE-2014-2913-nasty-metacharacters.patch b/CVE-2014-2913-nasty-metacharacters.patch deleted file mode 100644 index bca3930..0000000 --- a/CVE-2014-2913-nasty-metacharacters.patch +++ /dev/null @@ -1,18 +0,0 @@ -# This should get removed whenever 2.16 is released, assuming it has the fix -# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream -# concensus that quoting arguments in a mode which is widely agreed upon to be -# risky so track upstream discussions here, too. - -diff --git b/src/nrpe.c a/src/nrpe.c -index 381f0ac..ad1e05d 100644 ---- b/src/nrpe.c -+++ a/src/nrpe.c -@@ -53,7 +53,7 @@ int use_ssl=FALSE; - - #define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */ - #define MAXFD 64 --#define NASTY_METACHARS "|`&><'\"\\[]{};" -+#define NASTY_METACHARS "|`&><'\"\\[]{};\n" - #define howmany(x,y) (((x)+((y)-1))/(y)) - #define MAX_LISTEN_SOCKS 16 - diff --git a/commands.cfg b/commands.cfg index 4ff6c62..da828ea 100644 --- a/commands.cfg +++ b/commands.cfg @@ -20,11 +20,11 @@ # The following examples use hardcoded command arguments... -#command[check_users]=/usr/lib/nagios/check_users -w 5 -c 10 -#command[check_load]=/usr/lib/nagios/check_load -w 15,10,5 -c 30,25,20 -#command[check_hda1]=/usr/lib/nagios/check_disk -w 20% -c 10% -p /dev/hda1 -#command[check_zombie_procs]=/usr/lib/nagios/check_procs -w 5 -c 10 -s Z -#command[check_total_procs]=/usr/lib/nagios/check_procs -w 150 -c 200 +command[check_users]=@pluginsdir@/check_users -w 5 -c 10 +command[check_load]=@pluginsdir@/check_load -w 15,10,5 -c 30,25,20 +command[check_hda1]=@pluginsdir@/check_disk -w 20% -c 10% -p /dev/hda1 +command[check_zombie_procs]=@pluginsdir@/check_procs -w 5 -c 10 -s Z +command[check_total_procs]=@pluginsdir@/check_procs -w 150 -c 200 # The following examples allow user-supplied arguments and can @@ -33,7 +33,7 @@ # config file is set to '1'. This poses a potential security risk, so # make sure you read the SECURITY file before doing this. -#command[check_users]=/usr/lib/nagios/check_users -w $ARG1$ -c $ARG2$ -#command[check_load]=/usr/lib/nagios/check_load -w $ARG1$ -c $ARG2$ -#command[check_disk]=/usr/lib/nagios/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ -#command[check_procs]=/usr/lib/nagios/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ +#command[check_users]=@pluginsdir@/check_users -w $ARG1$ -c $ARG2$ +#command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$ +#command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ +#command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ diff --git a/nagios-nrpe-config.patch b/nagios-nrpe-config.patch index ceab790..0db94b9 100644 --- a/nagios-nrpe-config.patch +++ b/nagios-nrpe-config.patch @@ -1,15 +1,15 @@ ---- nrpe-2.12/sample-config/nrpe.cfg.in 2012-01-04 17:57:22.907296034 +0200 -+++ nrpe-2.15/sample-config/nrpe.cfg.in 2015-05-25 15:40:07.747598382 +0300 +--- nrpe-3.0.orig/sample-config/nrpe.cfg.in 2016-07-12 23:24:40.000000000 +0300 ++++ nrpe-3.0/sample-config/nrpe.cfg.in 2016-09-07 15:46:35.913180521 +0300 @@ -23,7 +23,7 @@ # number. The file is only written if the NRPE daemon is started by the root # user and is running in standalone mode. --pid_file=/var/run/nrpe.pid +-pid_file=@piddir@/nrpe.pid +pid_file=/var/run/nrpe/nrpe.pid -@@ -169,8 +169,7 @@ +@@ -257,47 +257,8 @@ # This directive allows you to include definitions from config files (with a # .cfg extension) in one or more directories (with recursion). @@ -18,9 +18,6 @@ +include_dir=/etc/nagios/nrpe.d - -@@ -195,41 +194,2 @@ -- - -# COMMAND DEFINITIONS -# Command definitions that this daemon will run. Definitions @@ -44,22 +41,22 @@ - -# The following examples use hardcoded command arguments... - --command[check_users]=@libexecdir@/check_users -w 5 -c 10 --command[check_load]=@libexecdir@/check_load -w 15,10,5 -c 30,25,20 --command[check_hda1]=@libexecdir@/check_disk -w 20% -c 10% -p /dev/hda1 --command[check_zombie_procs]=@libexecdir@/check_procs -w 5 -c 10 -s Z --command[check_total_procs]=@libexecdir@/check_procs -w 150 -c 200 +-command[check_users]=@pluginsdir@/check_users -w 5 -c 10 +-command[check_load]=@pluginsdir@/check_load -w 15,10,5 -c 30,25,20 +-command[check_hda1]=@pluginsdir@/check_disk -w 20% -c 10% -p /dev/hda1 +-command[check_zombie_procs]=@pluginsdir@/check_procs -w 5 -c 10 -s Z +-command[check_total_procs]=@pluginsdir@/check_procs -w 150 -c 200 - - -# The following examples allow user-supplied arguments and can --# only be used if the NRPE daemon was compiled with support for +-# only be used if the NRPE daemon was compiled with support for -# command arguments *AND* the dont_blame_nrpe directive in this -# config file is set to '1'. This poses a potential security risk, so -# make sure you read the SECURITY file before doing this. - --#command[check_users]=@libexecdir@/check_users -w $ARG1$ -c $ARG2$ --#command[check_load]=@libexecdir@/check_load -w $ARG1$ -c $ARG2$ --#command[check_disk]=@libexecdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ --#command[check_procs]=@libexecdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ +-#command[check_users]=@pluginsdir@/check_users -w $ARG1$ -c $ARG2$ +-#command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$ +-#command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ +-#command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ +# NOTE: +# In PLD Linux, command definitions are in file /etc/nagios/nrpe.d/commands.cfg diff --git a/nagios-nrpe.spec b/nagios-nrpe.spec index 163c58c..faaff08 100644 --- a/nagios-nrpe.spec +++ b/nagios-nrpe.spec @@ -1,19 +1,18 @@ Summary: Nagios remote plugin execution service/plugin Summary(pl.UTF-8): Demon i wtyczka zdalnego wywoływania wtyczek Nagios Name: nagios-nrpe -Version: 2.15 -Release: 7 +Version: 3.0 +Release: 1 License: GPL v2 Group: Networking Source0: http://downloads.sourceforge.net/nagios/nrpe-%{version}.tar.gz -# Source0-md5: 3921ddc598312983f604541784b35a50 +# Source0-md5: e2e8e0bcd9a3924b0ea94e76500f147b Source1: nrpe.init Source2: nrpe-command.cfg Source3: %{name}.tmpfiles Source4: commands.cfg Patch0: %{name}-config.patch Patch1: nrpe_check_control.patch -Patch2: CVE-2014-2913-nasty-metacharacters.patch URL: http://www.nagios.org/ BuildRequires: openssl-devel BuildRequires: openssl-tools @@ -68,7 +67,6 @@ na innych komputerach za pomocą demona nrpe. %undos contrib/nrpe_check_control.c %patch0 -p1 %patch1 -p1 -%patch2 -p1 %build %configure \ @@ -142,7 +140,7 @@ fi %files %defattr(644,root,root,755) -%doc Changelog LEGAL README* SECURITY +%doc Changelog LEGAL README* SECURITY.md %attr(640,root,nagios) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/nrpe.cfg %attr(750,root,nagios) %dir %{_sysconfdir}/nrpe.d %attr(640,root,nagios) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/nrpe.d/commands.cfg -- 2.43.0