Ubuntu
nagios-nrpe package

Merge lp:~logan/ubuntu/raring/nagios-nrpe/2.13-2ubuntu1 into lp:ubuntu/raring/nagios-nrpe

  1. Raring (13.04)
  2. 2.13-2ubuntu1
  3. Merge into raring
Proposed by Logan Rosen
Status: Merged
Merged at revision: 19
Proposed branch: lp:~logan/ubuntu/raring/nagios-nrpe/2.13-2ubuntu1
Merge into: lp:ubuntu/raring/nagios-nrpe
Diff against target: 96 lines (+58/-2)
5 files modified
debian/README.Debian (+11/-1)
debian/changelog (+16/-0)
debian/docs (+0/-1)
debian/patches/00list (+1/-0)
debian/patches/07_warn_ssloption.dpatch (+30/-0)
To merge this branch: bzr merge lp:~logan/ubuntu/raring/nagios-nrpe/2.13-2ubuntu1
Reviewer Review Type Date Requested Status
Michael Terry Approve
Ubuntu branches Pending
Review via email: mp+150241@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Michael Terry (mterry) wrote :

Looks good. Thanks!

I've pushed to raring.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/README.Debian'
--- debian/README.Debian 2011-09-25 08:35:48 +0000
+++ debian/README.Debian 2013-02-24 20:34:21 +0000
@@ -8,4 +8,14 @@
8To enable the use of command argument processing change dont_blame_nrpe option8To enable the use of command argument processing change dont_blame_nrpe option
9in nrpe.cfg then create the commands you want in nrpe_local.cfg or9in nrpe.cfg then create the commands you want in nrpe_local.cfg or
10/etc/nagios/nrpe.d/10/etc/nagios/nrpe.d/
11Most options can be overridden from there11Most options can be overridden from there.
12
13Do not rely on SSL mode for security
14------------------------------------
15
16NRPE contains an SSL mode which encrypts the data over the NRPE channel.
17The current implementation does not verify client or server and uses
18pregenerated key data by default. It cannot be fixed right away because
19it would break the existing NRPE protocol.
20
21Please refer to the file SECURITY in this directory for more information.
1222
=== modified file 'debian/changelog'
--- debian/changelog 2013-02-02 18:16:48 +0000
+++ debian/changelog 2013-02-24 20:34:21 +0000
@@ -1,3 +1,19 @@
1nagios-nrpe (2.13-2ubuntu1) raring; urgency=low
2
3 * Merge from Debian unstable. Remaining changes:
4 - debian/{rules,control}: Add hardening-includes to gain PIE security
5 builds.
6 - debian/rules: Use dpkg-buildflags.
7
8 -- Logan Rosen <logatronico@gmail.com> Sun, 24 Feb 2013 15:29:43 -0500
9
10nagios-nrpe (2.13-2) unstable; urgency=high
11
12 [ Thijs Kinkhorst ]
13 * Add warning about the inadequateness of the 'ssl' option.
14
15 -- Alexander Wirt <formorer@debian.org> Mon, 11 Feb 2013 17:45:20 +0100
16
1nagios-nrpe (2.13-1ubuntu1) raring; urgency=low17nagios-nrpe (2.13-1ubuntu1) raring; urgency=low
218
3 * Merge from Debian unstable. Remaining changes:19 * Merge from Debian unstable. Remaining changes:
420
=== modified file 'debian/docs'
--- debian/docs 2006-05-14 21:38:48 +0000
+++ debian/docs 2013-02-24 20:34:21 +0000
@@ -1,4 +1,3 @@
1README1README
2README.SSL
3LEGAL2LEGAL
4SECURITY3SECURITY
54
=== modified file 'debian/patches/00list'
--- debian/patches/00list 2009-07-06 07:08:26 +0000
+++ debian/patches/00list 2013-02-24 20:34:21 +0000
@@ -4,3 +4,4 @@
404_weird_output.dpatch404_weird_output.dpatch
505_pid_privileges.dpatch505_pid_privileges.dpatch
606_pid_directory.dpatch606_pid_directory.dpatch
707_warn_ssloption.dpatch
78
=== added file 'debian/patches/07_warn_ssloption.dpatch'
--- debian/patches/07_warn_ssloption.dpatch 1970-01-01 00:00:00 +0000
+++ debian/patches/07_warn_ssloption.dpatch 2013-02-24 20:34:21 +0000
@@ -0,0 +1,30 @@
1#! /bin/sh /usr/share/dpatch/dpatch-run
2## 07_warn_ssloption.dpatch by Thijs Kinkhorst <thijs@debian.org>
3##
4## All lines beginning with `## DP:' are a description of the patch.
5## DP: Warn against inadequateness of NRPE's own SSL option.
6
7--- a/SECURITY 2013-02-10 15:07:18.000000000 +0100
8+++ b/SECURITY 2013-02-10 15:08:50.000000000 +0100
9@@ -67,14 +67,17 @@
10 ----------
11
12 If you do enable support for command arguments in the NRPE daemon,
13-make sure that you encrypt communications either by using:
14-
15- 1. Stunnel (see http://www.stunnel.org for more info)
16- 2. Native SSL support
17+make sure that you encrypt communications either by using, for
18+example, Stunnel (see http://www.stunnel.org for more info).
19
20 Do NOT assume that just because the daemon is behind a firewall
21 that you are safe! Always encrypt NRPE traffic!
22
23+NOTE: the currently shipped native SSL support of NRPE is not an
24+adequante protection, because it does not verify clients and
25+server, and uses pregenerated key material. NRPE's SSL option is
26+advised against. For more information, see Debian bug #547092.
27+
28
29 USING ARGUMENTS
30 ---------------

Subscribers

People subscribed via source and target branches

to all changes: