[Pkg-nagios-devel] Bug#547092: Bug#547092: Bug#547092: Bug#547092: nrpe ssl security problem
Alexander Wirt
formorer at debian.org
Mon Feb 11 16:58:04 UTC 2013
On Sun, 10 Feb 2013, Thijs Kinkhorst wrote:
> Hi Alex,
>
> > > All agreed... but would you consider to add some big warnings about that
> > > fact? :)
> > Thats something for the release notes or readme.debian. Feel free to send a
> > patch.
>
> I do not believe the issue should mean that NRPE is so critically flawed that
> it should be removed from Wheezy: as sketched there are quite some ways to use
> NRPE safely, including other ways to do encryption. Also, when not allowing
> command line parameters in the protocol (the default), for many environment
> the existing network-level safeguards and local firewalls and network acl's
> may provide adequate protection. So the key to this bug is to add
> documentation that this specific feature is not to be relied on, as you said.
>
> I've added a patch which I think does this. It adds a warning in
> README.Debian, it rewrites the shipped SECURITY file to convert the mention of
> the facility into a warning against it, and doesn't ship the README.SSL
> anymore. I believe it should then be clear enough what the status of the
> feature is.
>
> I don't think that adding something to the release notes is appropriate per se
> since this is not a new thing for wheezy at all.
>
> If this can be applied in unstable/wheezy, I believe the bug can be downgraded
> to a non-RC bug about the broken functionality.
>
> Please consider to apply and upload. I'm happy to NMU if you prefer, please
> let me know.
And uploaded.
Thanks
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20130211/2daf3464/attachment.pgp>
More information about the Pkg-nagios-devel
mailing list