Ubuntu
nagios-nrpe package

Merge lp:~logan/ubuntu/raring/nagios-nrpe/2.13-2ubuntu1 into lp:ubuntu/raring/nagios-nrpe

  1. Raring (13.04)
  2. 2.13-2ubuntu1
  3. Merge into raring
Proposed by Logan Rosen
Status: Merged
Merged at revision: 19
Proposed branch: lp:~logan/ubuntu/raring/nagios-nrpe/2.13-2ubuntu1
Merge into: lp:ubuntu/raring/nagios-nrpe
Diff against target: 96 lines (+58/-2)
5 files modified
debian/README.Debian (+11/-1)
debian/changelog (+16/-0)
debian/docs (+0/-1)
debian/patches/00list (+1/-0)
debian/patches/07_warn_ssloption.dpatch (+30/-0)
To merge this branch: bzr merge lp:~logan/ubuntu/raring/nagios-nrpe/2.13-2ubuntu1
Reviewer Review Type Date Requested Status
Michael Terry Approve
Ubuntu branches Pending
Review via email: mp+150241@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Michael Terry (mterry) wrote :

Looks good. Thanks!

I've pushed to raring.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/README.Debian'
2--- debian/README.Debian 2011-09-25 08:35:48 +0000
3+++ debian/README.Debian 2013-02-24 20:34:21 +0000
4@@ -8,4 +8,14 @@
5 To enable the use of command argument processing change dont_blame_nrpe option
6 in nrpe.cfg then create the commands you want in nrpe_local.cfg or
7 /etc/nagios/nrpe.d/
8-Most options can be overridden from there
9+Most options can be overridden from there.
10+
11+Do not rely on SSL mode for security
12+------------------------------------
13+
14+NRPE contains an SSL mode which encrypts the data over the NRPE channel.
15+The current implementation does not verify client or server and uses
16+pregenerated key data by default. It cannot be fixed right away because
17+it would break the existing NRPE protocol.
18+
19+Please refer to the file SECURITY in this directory for more information.
20
21=== modified file 'debian/changelog'
22--- debian/changelog 2013-02-02 18:16:48 +0000
23+++ debian/changelog 2013-02-24 20:34:21 +0000
24@@ -1,3 +1,19 @@
25+nagios-nrpe (2.13-2ubuntu1) raring; urgency=low
26+
27+ * Merge from Debian unstable. Remaining changes:
28+ - debian/{rules,control}: Add hardening-includes to gain PIE security
29+ builds.
30+ - debian/rules: Use dpkg-buildflags.
31+
32+ -- Logan Rosen <logatronico@gmail.com> Sun, 24 Feb 2013 15:29:43 -0500
33+
34+nagios-nrpe (2.13-2) unstable; urgency=high
35+
36+ [ Thijs Kinkhorst ]
37+ * Add warning about the inadequateness of the 'ssl' option.
38+
39+ -- Alexander Wirt <formorer@debian.org> Mon, 11 Feb 2013 17:45:20 +0100
40+
41 nagios-nrpe (2.13-1ubuntu1) raring; urgency=low
42
43 * Merge from Debian unstable. Remaining changes:
44
45=== modified file 'debian/docs'
46--- debian/docs 2006-05-14 21:38:48 +0000
47+++ debian/docs 2013-02-24 20:34:21 +0000
48@@ -1,4 +1,3 @@
49 README
50-README.SSL
51 LEGAL
52 SECURITY
53
54=== modified file 'debian/patches/00list'
55--- debian/patches/00list 2009-07-06 07:08:26 +0000
56+++ debian/patches/00list 2013-02-24 20:34:21 +0000
57@@ -4,3 +4,4 @@
58 04_weird_output.dpatch
59 05_pid_privileges.dpatch
60 06_pid_directory.dpatch
61+07_warn_ssloption.dpatch
62
63=== added file 'debian/patches/07_warn_ssloption.dpatch'
64--- debian/patches/07_warn_ssloption.dpatch 1970-01-01 00:00:00 +0000
65+++ debian/patches/07_warn_ssloption.dpatch 2013-02-24 20:34:21 +0000
66@@ -0,0 +1,30 @@
67+#! /bin/sh /usr/share/dpatch/dpatch-run
68+## 07_warn_ssloption.dpatch by Thijs Kinkhorst <thijs@debian.org>
69+##
70+## All lines beginning with `## DP:' are a description of the patch.
71+## DP: Warn against inadequateness of NRPE's own SSL option.
72+
73+--- a/SECURITY 2013-02-10 15:07:18.000000000 +0100
74++++ b/SECURITY 2013-02-10 15:08:50.000000000 +0100
75+@@ -67,14 +67,17 @@
76+ ----------
77+
78+ If you do enable support for command arguments in the NRPE daemon,
79+-make sure that you encrypt communications either by using:
80+-
81+- 1. Stunnel (see http://www.stunnel.org for more info)
82+- 2. Native SSL support
83++make sure that you encrypt communications either by using, for
84++example, Stunnel (see http://www.stunnel.org for more info).
85+
86+ Do NOT assume that just because the daemon is behind a firewall
87+ that you are safe! Always encrypt NRPE traffic!
88+
89++NOTE: the currently shipped native SSL support of NRPE is not an
90++adequante protection, because it does not verify clients and
91++server, and uses pregenerated key material. NRPE's SSL option is
92++advised against. For more information, see Debian bug #547092.
93++
94+
95+ USING ARGUMENTS
96+ ---------------

Subscribers

People subscribed via source and target branches

to all changes: