File _patchinfo of Package patchinfo

<patchinfo>
  <packager>wrosenauer</packager>
  <category>security</category>
  <rating>important</rating>
  <issue tracker="cve" id="CVE-2013-1362"></issue>
  <issue tracker="bnc" id="807241">VUL-0: CVE-2013-1362: nagios / nrpe: blacklist test fails to properly match all potential metacharacters</issue>
  <summary>NRPE metacharacter filtering omission</summary>
  <description>NRPE (the Nagios Remote Plug-In Executor) allows the passing of $() to plugins/scripts which, if run under bash, will execute that shell command under a subprocess and pass the output as a parameter to the called script. Using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid that NRPE/nagios is running as (typically, 'nagios').

  With this update NRPE will deny remote requests containing a bash command substitution.</description>
</patchinfo>