[Pkg-nagios-devel] Bug#719056: Bug#719056: nagios3 leaks info about install to upstream
Michael Friedrich
michael.friedrich at gmail.com
Fri Jan 3 15:08:39 UTC 2014
Hi,
On 03.01.2014 13:31, Thijs Kinkhorst wrote:
> Hi,
>
>> The file html/rss-newsfeed.php in nagios3 (installed into nagios3-cgi)
>> use /tmp insecurely by fixed cache dir name:
> Actually, besides the tempfile usage, this PHP script exists to query the
> Nagios upstream website on any load of the front page of the installation,
> which leaks information about machines having Nagios installed. Perhaps
> it's better to just remove this functionality.
I've refactored an old patch against the 3.4.1 release which Debian uses
in order to remove that "feature" entirely. It still leaves the php
requirement intact - re-establishing the old html style will make the
patch likely incompatible to upstream.
https://github.com/dnsmichi/nagios-fixed/commits/debian/html-remove-call-home
Note: Also applies against 4.x HEAD.
Furthermore, I've ported a core patch I've implemented for Icinga years
ago, which entirely removes the core's "feature" to schedule daily timed
events for update checks. Upstream allows you to disable those checks
via config option, but it still causes some noops for the unused
functionality. Based on 3.4.1 for Debian too.
https://github.com/dnsmichi/nagios-fixed/commits/debian/core-remove-call-home
Note: Does not apply against 4.x HEAD, there have been too many changes.
A compatible patch is located here:
https://github.com/dnsmichi/nagios-fixed/commits/debian/core4x-remove-call-home
hth
Michael
--
DI (FH) Michael Friedrich
mail: michael.friedrich at gmail.com
twitter: https://twitter.com/dnsmichi
jabber: dnsmichi at jabber.ccc.de
irc: irc.freenode.net/icinga dnsmichi
icinga open source monitoring
position: lead core developer
url: https://www.icinga.org
More information about the Pkg-nagios-devel
mailing list