Hi Alex, > > All agreed... but would you consider to add some big warnings about that > > fact? :) > Thats something for the release notes or readme.debian. Feel free to send a > patch.
I do not believe the issue should mean that NRPE is so critically flawed that it should be removed from Wheezy: as sketched there are quite some ways to use NRPE safely, including other ways to do encryption. Also, when not allowing command line parameters in the protocol (the default), for many environment the existing network-level safeguards and local firewalls and network acl's may provide adequate protection. So the key to this bug is to add documentation that this specific feature is not to be relied on, as you said. I've added a patch which I think does this. It adds a warning in README.Debian, it rewrites the shipped SECURITY file to convert the mention of the facility into a warning against it, and doesn't ship the README.SSL anymore. I believe it should then be clear enough what the status of the feature is. I don't think that adding something to the release notes is appropriate per se since this is not a new thing for wheezy at all. If this can be applied in unstable/wheezy, I believe the bug can be downgraded to a non-RC bug about the broken functionality. Please consider to apply and upload. I'm happy to NMU if you prefer, please let me know. Cheers, Thijs
diff -u nagios-nrpe-2.13/debian/changelog nagios-nrpe-2.13/debian/changelog --- nagios-nrpe-2.13/debian/changelog +++ nagios-nrpe-2.13/debian/changelog @@ -1,3 +1,10 @@ +nagios-nrpe (2.13-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Add warning about the inadequateness of the 'ssl' option. + + -- Thijs Kinkhorst <th...@debian.org> Sun, 10 Feb 2013 14:52:37 +0100 + nagios-nrpe (2.13-1) unstable; urgency=low * [3e113b5] Imported Upstream version 2.13 diff -u nagios-nrpe-2.13/debian/README.Debian nagios-nrpe-2.13/debian/README.Debian --- nagios-nrpe-2.13/debian/README.Debian +++ nagios-nrpe-2.13/debian/README.Debian @@ -11 +11,11 @@ -Most options can be overridden from there +Most options can be overridden from there. + +Do not rely on SSL mode for security +------------------------------------ + +NRPE contains an SSL mode which encrypts the data over the NRPE channel. +The current implementation does not verify client or server and uses +pregenerated key data by default. It cannot be fixed right away because +it would break the existing NRPE protocol. + +Please refer to the file SECURITY in this directory for more information. diff -u nagios-nrpe-2.13/debian/docs nagios-nrpe-2.13/debian/docs --- nagios-nrpe-2.13/debian/docs +++ nagios-nrpe-2.13/debian/docs @@ -1,4 +1,3 @@ README -README.SSL LEGAL SECURITY diff -u nagios-nrpe-2.13/debian/patches/00list nagios-nrpe-2.13/debian/patches/00list --- nagios-nrpe-2.13/debian/patches/00list +++ nagios-nrpe-2.13/debian/patches/00list @@ -6,0 +7 @@ +07_warn_ssloption.dpatch only in patch2: unchanged: --- nagios-nrpe-2.13.orig/debian/patches/07_warn_ssloption.dpatch +++ nagios-nrpe-2.13/debian/patches/07_warn_ssloption.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 07_warn_ssloption.dpatch by Thijs Kinkhorst <th...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Warn against inadequateness of NRPE's own SSL option. + +--- a/SECURITY 2013-02-10 15:07:18.000000000 +0100 ++++ b/SECURITY 2013-02-10 15:08:50.000000000 +0100 +@@ -67,14 +67,17 @@ + ---------- + + If you do enable support for command arguments in the NRPE daemon, +-make sure that you encrypt communications either by using: +- +- 1. Stunnel (see http://www.stunnel.org for more info) +- 2. Native SSL support ++make sure that you encrypt communications either by using, for ++example, Stunnel (see http://www.stunnel.org for more info). + + Do NOT assume that just because the daemon is behind a firewall + that you are safe! Always encrypt NRPE traffic! + ++NOTE: the currently shipped native SSL support of NRPE is not an ++adequante protection, because it does not verify clients and ++server, and uses pregenerated key material. NRPE's SSL option is ++advised against. For more information, see Debian bug #547092. ++ + + USING ARGUMENTS + ---------------
signature.asc
Description: This is a digitally signed message part.
