[Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem
formorer at debian.org
Sun Feb 10 14:28:11 UTC 2013
On Sun, 10 Feb 2013, Thijs Kinkhorst wrote:
> Hi Alex,
> > > All agreed... but would you consider to add some big warnings about that
> > > fact? :)
> > Thats something for the release notes or readme.debian. Feel free to send a
> > patch.
> I do not believe the issue should mean that NRPE is so critically flawed that
> it should be removed from Wheezy: as sketched there are quite some ways to use
> NRPE safely, including other ways to do encryption. Also, when not allowing
> command line parameters in the protocol (the default), for many environment
> the existing network-level safeguards and local firewalls and network acl's
> may provide adequate protection. So the key to this bug is to add
> documentation that this specific feature is not to be relied on, as you said.
> I've added a patch which I think does this. It adds a warning in
> README.Debian, it rewrites the shipped SECURITY file to convert the mention of
> the facility into a warning against it, and doesn't ship the README.SSL
> anymore. I believe it should then be clear enough what the status of the
> feature is.
> I don't think that adding something to the release notes is appropriate per se
> since this is not a new thing for wheezy at all.
> If this can be applied in unstable/wheezy, I believe the bug can be downgraded
> to a non-RC bug about the broken functionality.
> Please consider to apply and upload. I'm happy to NMU if you prefer, please
> let me know.
Thanks, that was something like I had in mind. I'll apply this patch and
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the Pkg-nagios-devel