[Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem

[Alexander Wirt]

On Sun, 10 Feb 2013, Thijs Kinkhorst wrote:

> Hi Alex,
> 
> > > All agreed... but would you consider to add some big warnings about that
> > > fact? :)
> > Thats something for the release notes or readme.debian. Feel free to send a
> > patch. 
> 
> I do not believe the issue should mean that NRPE is so critically flawed that 
> it should be removed from Wheezy: as sketched there are quite some ways to use 
> NRPE safely, including other ways to do encryption. Also, when not allowing 
> command line parameters in the protocol (the default), for many environment 
> the existing network-level safeguards and local firewalls and network acl's 
> may provide adequate protection. So the key to this bug is to add 
> documentation that this specific feature is not to be relied on, as you said.
> 
> I've added a patch which I think does this. It adds a warning in 
> README.Debian, it rewrites the shipped SECURITY file to convert the mention of 
> the facility into a warning against it, and doesn't ship the README.SSL 
> anymore. I believe it should then be clear enough what the status of the 
> feature is.
> 
> I don't think that adding something to the release notes is appropriate per se 
> since this is not a new thing for wheezy at all.
> 
> If this can be applied in unstable/wheezy, I believe the bug can be downgraded 
> to a non-RC bug about the broken functionality.
> 
> Please consider to apply and upload. I'm happy to NMU if you prefer, please 
> let me know.
Thanks, that was something like I had in mind. I'll apply this patch and
upload tomorrow. 

Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130210/14a6e58b/attachment.pgp>