Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package nagios-plugins-contrib
We had to fix several plugins:
- check_raid: failed to work with EPN, #851351
- check_raid: detection of broken hotspares fails for mdadm raids.
#855054
- check_ssl_cert: broken due to changes introduced with openssl 1.1.
#855253
I've added an autopkgtest to ensure that such issues are detected
earlier.
- check_cert_expire_dirs failed to find check_cert_expire, so it did not
work at all. #855155
A diff between 20.20170118 and 21.20170222 is attached.
Thanks,
Bernd
unblock nagios-plugins-contrib/21.20170222
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
diff --git a/check_ssl_cert/tests b/check_ssl_cert/tests
new file mode 100644
index 0000000..5417af1
--- /dev/null
+++ b/check_ssl_cert/tests
@@ -0,0 +1,2 @@
+Depends: openssl, curl, file
+Test-Command: /usr/lib/nagios/plugins/check_ssl_cert -H www.debian.org
diff --git a/debian/changelog b/debian/changelog
index 5e48333..c6fb690 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+nagios-plugins-contrib (21.20170222) unstable; urgency=medium
+
+ [ Bernd Zeimetz ]
+ * [5091e4a] Disable EPN for check_raid.
+ Thanks to Daniel Pocock (Closes: #851351)
+ * [5bdff51] check_raid: fix failed mdadm hotspare detection.
+ Thanks to Sascha Steinbiss (Closes: #855054)
+ * [5232be1] percona-nagios-plugins: fix bashism.
+ Thanks to Raphael Geissert (Closes: #772278)
+
+ [ Stefan Schörghofer ]
+ * [6495faa] Fixes check_ssl_cert problems with Openssl > 1.1.x
+ (Closes: #855253)
+
+ [ Bernd Zeimetz ]
+ * [bf4fb49] Add autopkgtest for check_ssl_cert.
+ * [9aacdb6] Auto update of debian/tests/control
+ * [0d7ac29] Fix check_cert_expire_dirs to make it work at all.
+ check_cert_expire_dirs was not able to find
+ check_cert_expire. Fixing that. (Closes: #855155)
+
+ -- Bernd Zeimetz <b...@debian.org> Wed, 22 Feb 2017 14:32:22 +0100
+
nagios-plugins-contrib (20.20170118) unstable; urgency=medium
[ Evgeni Golov ]
diff --git a/debian/patches/check_raid/fix_mdadm_hotspare_failure_detection
b/debian/patches/check_raid/fix_mdadm_hotspare_failure_detection
new file mode 100644
index 0000000..c81437a
--- /dev/null
+++ b/debian/patches/check_raid/fix_mdadm_hotspare_failure_detection
@@ -0,0 +1,11 @@
+--- a/check_raid/check_raid
++++ b/check_raid/check_raid
+@@ -3661,7 +3661,7 @@ $fatpacked{"App/Monitoring/Plugin/CheckR
+ } elsif (@fd > 0) {
+ # FIXME: this is same as above?
+ $this->warning;
+- $s .= "hot-spare failure:". join(",",
@{$md{failed_disks}}) .":$md{status}";
++ $s .= "hot-spare failure:". join(",", @fd)
.":$md{status}";
+
+ } else {
+ $s .= "$md{status}";
diff --git a/debian/patches/check_raid/no_epn b/debian/patches/check_raid/no_epn
new file mode 100644
index 0000000..9ce8a44
--- /dev/null
+++ b/debian/patches/check_raid/no_epn
@@ -0,0 +1,8 @@
+--- a/check_raid/check_raid
++++ b/check_raid/check_raid
+@@ -1,4 +1,5 @@
+ #!/usr/bin/perl
++# nagios: -epn
+
+ # This chunk of stuff was generated by App::FatPacker. To find the original
+ # file's code, look for the end of this BEGIN block or the string 'FATPACK'
diff --git a/debian/patches/check_ssl_cert/bug-855253-fix
b/debian/patches/check_ssl_cert/bug-855253-fix
new file mode 100644
index 0000000..c0408f9
--- /dev/null
+++ b/debian/patches/check_ssl_cert/bug-855253-fix
@@ -0,0 +1,196 @@
+--- a/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
++++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
+@@ -969,8 +969,12 @@
+
+ if [ -n "${OCSP}" ] ; then
+
+- ISSUER_CERT="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
+- if [ -z "${ISSUER_CERT}" ] || [ ! -w "${ISSUER_CERT}" ] ; then
++ ISSUER_CERT_TMP="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
++ if [ -z "${ISSUER_CERT_TMP}" ] || [ ! -w "${ISSUER_CERT_TMP}" ] ; then
++ unknown 'temporary file creation failure.'
++ fi
++ ISSUER_CERT_TMP2="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
++ if [ -z "${ISSUER_CERT_TMP2}" ] || [ ! -w "${ISSUER_CERT_TMP2}" ] ;
then
+ unknown 'temporary file creation failure.'
+ fi
+
+@@ -992,7 +996,7 @@
+
+ # Cleanup before program termination
+ # Using named signals to be POSIX compliant
+- trap 'rm -f $CERT $ERROR $ISSUER_CERT' EXIT HUP INT QUIT TERM
++ trap 'rm -f $CERT $ERROR $ISSUER_CERT_TMP $ISSUER_CERT_TMP2' EXIT HUP INT
QUIT TERM
+
+ fetch_certificate
+
+@@ -1348,8 +1352,11 @@
+ # Check the validity
+ if [ -z "${NOEXP}" ] ; then
+
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] Checking expiration date"
++ fi
+ # We always check expired certificates
+- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 ; then
++ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 > /dev/null ; then
+ critical "certificate is expired (was valid until $DATE)"
+ fi
+
+@@ -1359,7 +1366,7 @@
+ echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout
-checkend $(( CRITICAL * 86400 ))"
+ fi
+
+- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL *
86400 )) ; then
++ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL *
86400 )) > /dev/null ; then
+ critical "certificate will expire on $DATE"
+ fi
+
+@@ -1371,7 +1378,7 @@
+ echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout
-checkend $(( WARNING * 86400 ))"
+ fi
+
+- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING *
86400 )) ; then
++ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING *
86400 )) > /dev/null ; then
+ warning "certificate will expire on $DATE"
+ fi
+
+@@ -1504,34 +1511,36 @@
+ if [ -n "${OCSP}" ]; then
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to
${ISSUER_CERT}"
++ echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to
${ISSUER_CERT_TMP}"
+ fi
+
+- curl --silent "${ISSUER_URI}" > "${ISSUER_CERT}"
++ curl --silent "${ISSUER_URI}" > "${ISSUER_CERT_TMP}"
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN}
"${ISSUER_CERT}" | sed 's/.*://' )"
++ echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN}
"${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ fi
+
+ # check the result
+- if ! "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': (ASCII|PEM)' ; then
++ if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': (ASCII|PEM)' ; then
+
+- if "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': data' ; then
++ if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': data' ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] OCSP: converting issuer certificate from DER to
PEM"
+ fi
+
+- openssl x509 -inform DER -outform PEM -in "${ISSUER_CERT}" -out
"${ISSUER_CERT}"
++ cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
++
++ $OPENSSL x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out
"${ISSUER_CERT_TMP}"
+
+- else
++ else
+
+ unknown "Unable to fetch OCSP issuer certificate."
+
+- fi
++ fi
+
+
+- fi
++ fi
+
+ if [ -n "${DEBUG}" ] ; then
+
+@@ -1543,7 +1552,7 @@
+
+ echo "[DBG] OCSP: storing a copy of the retrieved issuer
certificate to ${FILE_NAME}"
+
+- cp "${ISSUER_CERT}" "${FILE_NAME}"
++ cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
+ fi
+
+ OCSP_HOST="$(echo "${OCSP_URI}" | sed -e
"s@.*//\([^/]\+\)\(/.*\)\?\$@\1@g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
+@@ -1563,33 +1572,54 @@
+ echo "[DBG] openssl ocsp support the -header option"
+ fi
+
++ # the -header option was first accepting key and value separated by
space. The newer versions are using key=value
++ KEYVALUE=""
++ if openssl ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] openssl ocsp -header requires 'key=value'"
++ fi
++ KEYVALUE=1
++ else
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] openssl ocsp -header requires 'key value'"
++ fi
++ fi
++
+ # http_proxy is sometimes lower- and sometimes uppercase. Programs
usually check both
+ # shellcheck disable=SC2154
+ if [ -n "${http_proxy}" ] ; then
+ HTTP_PROXY="${http_proxy}"
+ fi
+
+- if [ -n "${HTTP_PROXY:-}" ] ; then
++ if [ -n "${HTTP_PROXY:-}" ] ; then
++ if [ -n "${KEYVALUE}" ] ; then
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer
${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI}
-header HOST=${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer
"${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path
"${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
++ else
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer
${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI}
-header HOST ${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer
"${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path
"${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+
+- if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer
${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header
HOST ${OCSP_HOST}"
+- fi
+-
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}"
-cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST
"${OCSP_HOST}" 2>&1 | grep -i "ssl_cert")"
+-
+- else
+-
+- if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer
${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST
${OCSP_HOST}"
+- fi
+-
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}"
-cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 | grep -i
"ssl_cert")"
++ fi
++ fi
+
+-
+- fi
++ if [ -n "${KEYVALUE}" ] ; then
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer
${ISSUER_CERT_TMP} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header
HOST=${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}"
-cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
++ else
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer
${ISSUER_CERT_TMP} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST
${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer
"${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST
"${OCSP_HOST}" 2>&1 )"
++ fi
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] OCSP: response = ${OCSP_RESP}"
++ echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
+ fi
+
+ if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+@@ -1597,9 +1627,9 @@
+ elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
+
+ if [ -n "${HTTP_PROXY:-}" ] ; then
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer
"${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}"
"${OCSP_HEADER}" 2>&1 )"
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer
"${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path
"${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer
"${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer
"${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ fi
+ critical "${OCSP_RESP}"
+
diff --git a/debian/patches/dsa/check_cert_expire_dir_check_name_fix
b/debian/patches/dsa/check_cert_expire_dir_check_name_fix
new file mode 100644
index 0000000..6d8cb38
--- /dev/null
+++ b/debian/patches/dsa/check_cert_expire_dir_check_name_fix
@@ -0,0 +1,14 @@
+--- a/dsa/checks/dsa-check-cert-expire-dir
++++ b/dsa/checks/dsa-check-cert-expire-dir
+@@ -26,9 +26,9 @@
+
+ sn="$0"
+ if [ "${sn%/*}" = "$sn" ]; then
+- CERT_CHECK=dsa-check-cert-expire
++ CERT_CHECK=check_cert_expire
+ else
+- CERT_CHECK="${sn%/*}/dsa-check-cert-expire"
++ CERT_CHECK="${sn%/*}/check_cert_expire"
+ fi
+
+ if [ "$#" != 1 ] ; then
diff --git a/debian/patches/percona-nagios-plugins/fix_bashism
b/debian/patches/percona-nagios-plugins/fix_bashism
new file mode 100644
index 0000000..ec431a2
--- /dev/null
+++ b/debian/patches/percona-nagios-plugins/fix_bashism
@@ -0,0 +1,8 @@
+--- a/percona-nagios-plugins/nagios/bin/pmp-check-mysql-ts-count
++++ b/percona-nagios-plugins/nagios/bin/pmp-check-mysql-ts-count
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+
+ # ########################################################################
+ # This program is part of $PROJECT_NAME$
diff --git a/debian/patches/series b/debian/patches/series
index ca6f2f8..43e32e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+dsa/check_cert_expire_dir_check_name_fix
dsa/check_running_kernel_jessie_centos_fix
check_ajp/return_critical_on_failed_connection
check_backuppc/use_nagios_plugins
@@ -43,10 +44,13 @@ dsa/check_packages_location
dsa/status_directory
dsa/check_packages-inifile
dsa/epn
-
dsa/check_packages_,_fix
check_cups/ParseDateDelta
check_printer/epn
check_nfsmounts/nfs4_support
check_httpd_status/htdigest_auth
check_varnish/fix_for_v5
+check_raid/no_epn
+check_raid/fix_mdadm_hotspare_failure_detection
+percona-nagios-plugins/fix_bashism
+check_ssl_cert/bug-855253-fix
diff --git a/debian/tests/control b/debian/tests/control
index bcc9ecc..0fa3aa0 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -19,6 +19,9 @@ Restrictions: needs-root, allow-stderr, isolation-container
Depends: lsof, libyaml-syck-perl, @
Test-Command: /usr/lib/nagios/plugins/check_libs
+Depends: openssl, curl, file, @
+Test-Command: /usr/lib/nagios/plugins/check_ssl_cert -H www.debian.org
+
Depends: libmonitoring-plugin-perl | libnagios-plugin-perl, @
Test-Command: /usr/lib/nagios/plugins/check_uptime -f
