[Pkg-nagios-changes] [SCM] Debian packaging for nagios nrpe branch, master, updated. debian/2.13-2-5-g4d71cc9
Alexander Wirt
formorer at debian.org
Sat Mar 9 07:56:23 UTC 2013
The following commit has been merged in the master branch:
commit 063e086bd0476ea03c8ca7367d50609c07bdebc5
Author: Alexander Wirt <formorer at debian.org>
Date: Mon Feb 11 17:46:17 2013 +0100
Add some documentation about ssl
diff --git a/debian/README.Debian b/debian/README.Debian
index 7d827cb..c5c72a4 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -8,4 +8,14 @@ This files are included from the /etc/nagios/nrpe.cfg
To enable the use of command argument processing change dont_blame_nrpe option
in nrpe.cfg then create the commands you want in nrpe_local.cfg or
/etc/nagios/nrpe.d/
-Most options can be overridden from there
+Most options can be overridden from there.
+
+Do not rely on SSL mode for security
+------------------------------------
+
+NRPE contains an SSL mode which encrypts the data over the NRPE channel.
+The current implementation does not verify client or server and uses
+pregenerated key data by default. It cannot be fixed right away because
+it would break the existing NRPE protocol.
+
+Please refer to the file SECURITY in this directory for more information.
diff --git a/debian/changelog b/debian/changelog
index e244533..5bb8f53 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+nagios-nrpe (2.13-2) unstable; urgency=high
+
+ [ Thijs Kinkhorst ]
+ * Add warning about the inadequateness of the 'ssl' option.
+
+ -- Alexander Wirt <formorer at debian.org> Mon, 11 Feb 2013 17:45:20 +0100
+
nagios-nrpe (2.13-1) unstable; urgency=low
* [3e113b5] Imported Upstream version 2.13
diff --git a/debian/docs b/debian/docs
index a419ec5..6662772 100644
--- a/debian/docs
+++ b/debian/docs
@@ -1,4 +1,3 @@
README
-README.SSL
LEGAL
SECURITY
diff --git a/debian/patches/00list b/debian/patches/00list
index 4c83a4a..1355e2e 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -4,3 +4,4 @@
04_weird_output.dpatch
05_pid_privileges.dpatch
06_pid_directory.dpatch
+07_warn_ssloption.dpatch
diff --git a/debian/patches/07_warn_ssloption.dpatch b/debian/patches/07_warn_ssloption.dpatch
new file mode 100644
index 0000000..5964ccc
--- /dev/null
+++ b/debian/patches/07_warn_ssloption.dpatch
@@ -0,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 07_warn_ssloption.dpatch by Thijs Kinkhorst <thijs at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Warn against inadequateness of NRPE's own SSL option.
+
+--- a/SECURITY 2013-02-10 15:07:18.000000000 +0100
++++ b/SECURITY 2013-02-10 15:08:50.000000000 +0100
+@@ -67,14 +67,17 @@
+ ----------
+
+ If you do enable support for command arguments in the NRPE daemon,
+-make sure that you encrypt communications either by using:
+-
+- 1. Stunnel (see http://www.stunnel.org for more info)
+- 2. Native SSL support
++make sure that you encrypt communications either by using, for
++example, Stunnel (see http://www.stunnel.org for more info).
+
+ Do NOT assume that just because the daemon is behind a firewall
+ that you are safe! Always encrypt NRPE traffic!
+
++NOTE: the currently shipped native SSL support of NRPE is not an
++adequante protection, because it does not verify clients and
++server, and uses pregenerated key material. NRPE's SSL option is
++advised against. For more information, see Debian bug #547092.
++
+
+ USING ARGUMENTS
+ ---------------
--
Debian packaging for nagios nrpe
More information about the Pkg-nagios-changes
mailing list