[Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem

Thijs Kinkhorst thijs at debian.org
Sun Feb 10 14:21:18 UTC 2013

Hi Alex,

> > All agreed... but would you consider to add some big warnings about that
> > fact? :)
> Thats something for the release notes or readme.debian. Feel free to send a
> patch. 

I do not believe the issue should mean that NRPE is so critically flawed that 
it should be removed from Wheezy: as sketched there are quite some ways to use 
NRPE safely, including other ways to do encryption. Also, when not allowing 
command line parameters in the protocol (the default), for many environment 
the existing network-level safeguards and local firewalls and network acl's 
may provide adequate protection. So the key to this bug is to add 
documentation that this specific feature is not to be relied on, as you said.

I've added a patch which I think does this. It adds a warning in 
README.Debian, it rewrites the shipped SECURITY file to convert the mention of 
the facility into a warning against it, and doesn't ship the README.SSL 
anymore. I believe it should then be clear enough what the status of the 
feature is.

I don't think that adding something to the release notes is appropriate per se 
since this is not a new thing for wheezy at all.

If this can be applied in unstable/wheezy, I believe the bug can be downgraded 
to a non-RC bug about the broken functionality.

Please consider to apply and upload. I'm happy to NMU if you prefer, please 
let me know.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 547092_warn.patch
Type: text/x-patch
Size: 2899 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130210/b447c542/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130210/b447c542/attachment.pgp>

More information about the Pkg-nagios-devel mailing list