[Pkg-nagios-devel] Bug#913142: monitoring-plugins-basic: check_http sending extra CRLF after POST data

[Pierre TEISSONNIERE]

Package: monitoring-plugins-basic
Version: 2.2-3
Severity: normal

Dear Maintainer,

   * What led up to the situation ? Using check_http with POST data
   * What exactly did you do (or not do) that was effective (or ineffective) ? check_http is used with POST data to check a web application is answerng properly
   * What was the outcome of this action ? Extra CRLF triggering alarm in WAF because not complying to RFC
   * What outcome did you expect instead ? Packet not blocked by WAF

This is a known bug which could lead to security issues (disabled WAF checks to allow requests). cf : https://github.com/nagios-plugins/nagios-plugins/issues/266 


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages monitoring-plugins-basic depends on:
ii  iputils-ping               3:20161105-1
ii  libc6                      2.24-11+deb9u3
ii  libssl1.1                  1.1.0f-3+deb9u2
ii  monitoring-plugins-common  2.2-3
ii  procps                     2:3.3.12-3+deb9u1
ii  ucf                        3.0036

Versions of packages monitoring-plugins-basic recommends:
ii  libcap2-bin  1:2.25-1

Versions of packages monitoring-plugins-basic suggests:
ii  icinga  1.13.4-2

-- no debconf information