[Pkg-nagios-devel] Bug#867567: stretch-pu: package nagios-nrpe/3.0.1-3+deb9u1

Bas Couwenberg sebastic at xs4all.nl
Fri Jul 7 13:04:12 UTC 2017 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu

To fix the incompatibility between NRPE 2.x and 3.x releases when SSL
support is enabled, I'd like to propose the following update.

There was a bug in the patch for reproducible builds which disabled the
DH support causing SSL support without certificates configured not to
work.

This issue is discussed in the following upstream issue:

 https://github.com/NagiosEnterprises/nrpe/issues/113

Thanks to Johan Carlquist for reporting the fix.

Because previous versions of NRPE in Debian and the package as built by
other distributions uses SSL by default, the SSL support has been
enabled by default in the Debian package again too.

With these proposed changes users upgrading from jessie to stretch don't
have to reconfigure their monitoring environment to disable SSL.

Users that have already reconfigured their monitoring environment to
disable SSL for NRPE can either leave it as-is, or re-enable the SSL
support for NRPE too.

Kind Regards,

Bas
-------------- next part --------------
diff -Nru nagios-nrpe-3.0.1/debian/changelog nagios-nrpe-3.0.1/debian/changelog
--- nagios-nrpe-3.0.1/debian/changelog	2016-12-24 10:24:09.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/changelog	2017-07-07 14:15:25.000000000 +0200
@@ -1,3 +1,13 @@
+nagios-nrpe (3.0.1-3+deb9u1) stretch; urgency=medium
+
+  * Update branch in gbp.conf & Vcs-Git URL.
+  * Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined.
+    Thanks to Johan Carlquist for pointing out this issue.
+  * Re-enable SSL support by default.
+    Compatibility with older versions has been fixed.
+
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 07 Jul 2017 14:15:25 +0200
+
 nagios-nrpe (3.0.1-3) unstable; urgency=medium
 
   * Add reload command to systemd service file.
diff -Nru nagios-nrpe-3.0.1/debian/check_nrpe.cfg nagios-nrpe-3.0.1/debian/check_nrpe.cfg
--- nagios-nrpe-3.0.1/debian/check_nrpe.cfg	2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/check_nrpe.cfg	2017-07-07 14:13:19.000000000 +0200
@@ -1,11 +1,11 @@
-# this command runs a program $ARG1$ with no arguments and disables SSL support
+# this command runs a program $ARG1$ with no arguments and enables SSL support
 define command {
 	command_name	check_nrpe
-	command_line	/usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
+	command_line	/usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
 }
 
-# this command runs a program $ARG1$ with no arguments and enables SSL support
+# this command runs a program $ARG1$ with no arguments and disables SSL support
 define command {
-	command_name	check_nrpe_ssl
-	command_line	/usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
+	command_name	check_nrpe_nossl
+	command_line	/usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
 }
diff -Nru nagios-nrpe-3.0.1/debian/control nagios-nrpe-3.0.1/debian/control
--- nagios-nrpe-3.0.1/debian/control	2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/control	2017-07-07 14:13:11.000000000 +0200
@@ -11,7 +11,7 @@
                openssl
 Standards-Version: 3.9.8
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git
-Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git -b stretch
 Homepage: https://github.com/NagiosEnterprises/nrpe
 
 Package: nagios-nrpe-server
diff -Nru nagios-nrpe-3.0.1/debian/gbp.conf nagios-nrpe-3.0.1/debian/gbp.conf
--- nagios-nrpe-3.0.1/debian/gbp.conf	2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/gbp.conf	2017-07-07 14:13:11.000000000 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default
--- nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default	2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default	2017-07-07 14:13:19.000000000 +0200
@@ -5,9 +5,7 @@
 # nrpe daemon.
 #
 # The -n option disables SSL support.
-# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg!
-# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.
-NRPE_OPTS="-n"
+#NRPE_OPTS="-n"
 
 # NICENESS is if you want to run the server at a different nice() priority.
 # (only used by the init script)
diff -Nru nagios-nrpe-3.0.1/debian/NEWS nagios-nrpe-3.0.1/debian/NEWS
--- nagios-nrpe-3.0.1/debian/NEWS	2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/NEWS	2017-07-07 14:15:00.000000000 +0200
@@ -1,3 +1,28 @@
+nagios-nrpe (3.0.1-3+deb9u1) stretch; urgency=medium
+
+  The bug that caused the SSL support between NRPE 2.x and 3.x not
+  to work has been fixed.
+
+  Because the default SSL support without certificates configured
+  in nrpe.cfg uses pre-generated key data, configuring SSL
+  certificates is strongly advised when STunnel is not used.
+
+  The ssl-cert package can be used to generate a self-signed
+  certificate, but CA certificates like those from Let's Encrypt
+  are a better choice.
+
+  SSL support has been re-enabled by default, to be better compatible
+  with previous NRPE versions where SSL support was enabled by default
+  too.
+
+  The check_nrpe command definition has been updated to enable SSL
+  support (by removing the -n option) and the check_nrpe_ssl command
+  definition has been removed. The previous check_nrpe command
+  definition which disables SSL support is available with the new
+  check_nrpe_nossl command definition.
+
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 07 Jul 2017 13:48:38 +0200
+
 nagios-nrpe (3.0.1-1) unstable; urgency=medium
 
   The check_nrpe command definition has been updated to remove the
diff -Nru nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch
--- nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch	2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch	2017-07-07 14:13:11.000000000 +0200
@@ -47,14 +47,21 @@
 +		{ DH_free(dh); return(NULL); }
 +	return(dh);
 +	}
---- a/configure.ac
-+++ b/configure.ac
-@@ -307,7 +307,7 @@ AC_ARG_ENABLE([ssl],
- dnl Optional SSL library and include paths
- if test x$check_for_ssl = xyes; then
- 	# need_dh should only be set for NRPE
--	need_dh=yes
-+	need_dh=no
- 	AC_NAGIOS_GET_SSL
- fi
+--- a/macros/ax_nagios_get_ssl
++++ b/macros/ax_nagios_get_ssl
+@@ -287,15 +287,7 @@ if test x$SSL_TYPE != xNONE; then
+ 		# Find the openssl program
  
+ 		if test x$need_dh = xyes; then
+-			AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
+ 			AC_DEFINE(USE_SSL_DH)
+-			# Generate DH parameters
+-			if test -f "$sslbin"; then
+-				echo ""
+-				echo "*** Generating DH Parameters for SSL/TLS ***"
+-				# awk to strip off meta data at bottom of dhparam output
+-				$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+-			fi
+ 		fi
+ 	fi
+ fi

More information about the Pkg-nagios-devel mailing list