[Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem
Thijs Kinkhorst
thijs at debian.org
Sun Feb 10 14:21:18 UTC 2013
Hi Alex,
> > All agreed... but would you consider to add some big warnings about that
> > fact? :)
> Thats something for the release notes or readme.debian. Feel free to send a
> patch.
I do not believe the issue should mean that NRPE is so critically flawed that
it should be removed from Wheezy: as sketched there are quite some ways to use
NRPE safely, including other ways to do encryption. Also, when not allowing
command line parameters in the protocol (the default), for many environment
the existing network-level safeguards and local firewalls and network acl's
may provide adequate protection. So the key to this bug is to add
documentation that this specific feature is not to be relied on, as you said.
I've added a patch which I think does this. It adds a warning in
README.Debian, it rewrites the shipped SECURITY file to convert the mention of
the facility into a warning against it, and doesn't ship the README.SSL
anymore. I believe it should then be clear enough what the status of the
feature is.
I don't think that adding something to the release notes is appropriate per se
since this is not a new thing for wheezy at all.
If this can be applied in unstable/wheezy, I believe the bug can be downgraded
to a non-RC bug about the broken functionality.
Please consider to apply and upload. I'm happy to NMU if you prefer, please
let me know.
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 547092_warn.patch
Type: text/x-patch
Size: 2899 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130210/b447c542/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130210/b447c542/attachment.pgp>
More information about the Pkg-nagios-devel
mailing list