ALAS-2013-203

Amazon Linux 1 Security Advisory: ALAS-2013-203
Advisory Release Date: 2013-06-20 14:14 Pacific
Advisory Updated Date: 2014-09-15 23:31 Pacific

Severity: Important

References: CVE-2013-1362
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.

Affected Packages:

nrpe

Issue Correction:
Run yum update nrpe to update your system.

New Packages:

i686:
    nagios-plugins-nrpe-2.14-3.5.amzn1.i686
    nrpe-2.14-3.5.amzn1.i686
    nrpe-debuginfo-2.14-3.5.amzn1.i686

src:
    nrpe-2.14-3.5.amzn1.src

x86_64:
    nagios-plugins-nrpe-2.14-3.5.amzn1.x86_64
    nrpe-2.14-3.5.amzn1.x86_64
    nrpe-debuginfo-2.14-3.5.amzn1.x86_64

Additional References

Red Hat: CVE-2013-1362

Mitre: CVE-2013-1362