diff --git a/debian/NEWS b/debian/NEWS index 48c57ed..2123c7e 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,28 @@ +nagios-nrpe (3.2.0-2) unstable; urgency=medium + + The bug that caused the SSL support between NRPE 2.x and 3.x not + to work has been fixed. + + Because the default SSL support without certificates configured + in nrpe.cfg uses pre-generated key data, configuring SSL + certificates is strongly advised when STunnel is not used. + + The ssl-cert package can be used to generate a self-signed + certificate, but CA certificates like those from Let's Encrypt + are a better choice. + + SSL support has been re-enabled by default, to be better compatible + with previous NRPE versions where SSL support was enabled by default + too. + + The check_nrpe command definition has been updated to enable SSL + support (by removing the -n option) and the check_nrpe_ssl command + definition has been removed. The previous check_nrpe command + definition which disables SSL support is available with the new + check_nrpe_nossl command definition. + + -- Bas Couwenberg Fri, 07 Jul 2017 13:48:38 +0200 + nagios-nrpe (3.0.1-1) unstable; urgency=medium The check_nrpe command definition has been updated to remove the diff --git a/debian/changelog b/debian/changelog index 14f0f80..43dd09e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,48 @@ -nagios-nrpe (3.2.1-1) UNRELEASED; urgency=medium +nagios-nrpe (3.2.1-1) unstable; urgency=medium - * New Version + * New upstream release. + * Drop patches included upstream, refresh remaining patches. - -- Mario Fetka Thu, 02 Nov 2017 09:56:43 +0100 + -- Bas Couwenberg Sun, 03 Sep 2017 10:52:40 +0200 + +nagios-nrpe (3.2.0-4) unstable; urgency=medium + + * Add upstream patch to turn seteuid errors into warnings. + (closes: #868326) + + -- Bas Couwenberg Fri, 14 Jul 2017 16:51:12 +0200 + +nagios-nrpe (3.2.0-3) unstable; urgency=medium + + * Re-enable SSL support by default. + Compatibility with older versions has been fixed. + + -- Bas Couwenberg Fri, 07 Jul 2017 14:08:13 +0200 + +nagios-nrpe (3.2.0-2) unstable; urgency=medium + + * Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined. + Thanks to Johan Carlquist for pointing out this issue. + * Drop --with-need-dh=no configure option, dh is needed. + * Remove deterministic "openssl dhparam" output handling, + dh.h not included in upstream source. + + -- Bas Couwenberg Thu, 06 Jul 2017 14:33:39 +0200 + +nagios-nrpe (3.2.0-1) unstable; urgency=medium + + * New upstream release. + (closes: #565643) + * Bump Standards-Version to 4.0.0, no changes. + * Add autopkgtest to test installability. + * Set --with-logdir configure option to /var/log. + * Update watch file for GitHub releases. + * Update copyright file. + * Refresh patches. + * Reinstate 11_reproducible_dh.h.patch for reproducible dh.h. + * Regenerate dh.h with OpenSSL 1.1.0. + + -- Bas Couwenberg Wed, 05 Jul 2017 09:53:06 +0200 nagios-nrpe (3.1.1-1) unstable; urgency=medium diff --git a/debian/check_nrpe.cfg b/debian/check_nrpe.cfg index 3ae0622..2b71c31 100644 --- a/debian/check_nrpe.cfg +++ b/debian/check_nrpe.cfg @@ -1,11 +1,11 @@ -# this command runs a program $ARG1$ with no arguments and disables SSL support -define command { - command_name check_nrpe - command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n -} - # this command runs a program $ARG1$ with no arguments and enables SSL support define command { - command_name check_nrpe_ssl + command_name check_nrpe command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ } + +# this command runs a program $ARG1$ with no arguments and disables SSL support +define command { + command_name check_nrpe_nossl + command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n +} diff --git a/debian/control b/debian/control index 6c79b69..da2362c 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Build-Depends: debhelper (>= 9), libssl-dev, libwrap0-dev, openssl -Standards-Version: 3.9.8 +Standards-Version: 4.0.0 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git Homepage: https://github.com/NagiosEnterprises/nrpe diff --git a/debian/copyright b/debian/copyright index 845638c..e1cb223 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,8 +4,9 @@ Upstream-Contact: Nagios Users List Source: https://github.com/NagiosEnterprises/nrpe Files: * -Copyright: 1999-2008, Ethan Galstad (nagios@nagios.org) - 2009, Nagios Core Development Team and Community Contributors +Copyright: 2006-2017, Nagios Enterprises + 2016, Nagios Core Development Team + 1999-2008, Ethan Galstad (nagios@nagios.org) License: GPL-2+ with OpenSSL exception Files: include/acl.h diff --git a/debian/nagios-nrpe-server.default b/debian/nagios-nrpe-server.default index 4a263d2..828ef02 100644 --- a/debian/nagios-nrpe-server.default +++ b/debian/nagios-nrpe-server.default @@ -5,9 +5,7 @@ # nrpe daemon. # # The -n option disables SSL support. -# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg! -# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions. -NRPE_OPTS="-n" +#NRPE_OPTS="-n" # NICENESS is if you want to run the server at a different nice() priority. # (only used by the init script) diff --git a/debian/nagios-nrpe-server.service b/debian/nagios-nrpe-server.service index 4f56f60..f67c6da 100644 --- a/debian/nagios-nrpe-server.service +++ b/debian/nagios-nrpe-server.service @@ -19,5 +19,5 @@ ExecStopPost=/bin/rm -f /var/run/nagios/nrpe.pid TimeoutStopSec=60 User=nagios Group=nagios -PrivateTmp=false +PrivateTmp=true OOMScoreAdjust=-500 diff --git a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch index 8b583cf..6c607fd 100644 --- a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch +++ b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch @@ -5,10 +5,12 @@ Forwarded: not-needed --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in -@@ -317,3 +317,14 @@ command[check_total_procs]=@pluginsdir@/ - #command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$ - #command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ - #command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ +@@ -359,3 +359,16 @@ command[check_total_procs]=@pluginsdir@/ + + #include_dir= + #include_dir= ++ ++ + +# local configuration: +# if you'd prefer, you can instead place directives here diff --git a/debian/patches/07_warn_ssloption.patch b/debian/patches/07_warn_ssloption.patch index 42377ec..a6f9686 100644 --- a/debian/patches/07_warn_ssloption.patch +++ b/debian/patches/07_warn_ssloption.patch @@ -4,19 +4,19 @@ Forwarded: not-needed --- a/SECURITY.md +++ b/SECURITY.md -@@ -82,14 +82,17 @@ daemon should run as. - #### ENCRYPTION #### +@@ -91,14 +91,17 @@ Encryption + ---------- If you do enable support for command arguments in the NRPE daemon, -make sure that you encrypt communications either by using: - - 1. Stunnel (see http://www.stunnel.org for more info) -- 2. Native SSL support (See the `README.SSL.md` file for more info) +- 2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info) +make sure that you encrypt communications by using, for example, +Stunnel (see http://www.stunnel.org for more info). - *Do NOT* assume that just because the daemon is behind a firewall - that you are safe! Always encrypt NRPE traffic! + Do **NOT** assume that just because the daemon is behind a firewall + that you are safe! ***Always encrypt NRPE traffic!*** +NOTE: the currently shipped native SSL support of NRPE is not an +adequante protection, because it does not verify clients and @@ -24,5 +24,5 @@ Forwarded: not-needed +advised against. For more information, see Debian bug #547092. + - #### USING ARGUMENTS #### - + Using Arguments + --------------- diff --git a/debian/patches/11_reproducible_dh.h.patch b/debian/patches/11_reproducible_dh.h.patch new file mode 100644 index 0000000..605fb1a --- /dev/null +++ b/debian/patches/11_reproducible_dh.h.patch @@ -0,0 +1,79 @@ +Description: Use pre-generated dh.h for reproducible builds. +Author: Bas Couwenberg +Bug-Debian: https://bugs.debian.org/834857 +Forwarded: not-needed + +--- /dev/null ++++ b/include/dh.h +@@ -0,0 +1,53 @@ ++#ifndef HEADER_DH_H ++# include ++#endif ++ ++DH *get_dh2048() ++{ ++ static unsigned char dhp_2048[] = { ++ 0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA, ++ 0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73, ++ 0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48, ++ 0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8, ++ 0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97, ++ 0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1, ++ 0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62, ++ 0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA, ++ 0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3, ++ 0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3, ++ 0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E, ++ 0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57, ++ 0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD, ++ 0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93, ++ 0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC, ++ 0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8, ++ 0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7, ++ 0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73, ++ 0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51, ++ 0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26, ++ 0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2, ++ 0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9, ++ 0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32, ++ 0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E, ++ 0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF, ++ 0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B ++ }; ++ static unsigned char dhg_2048[] = { ++ 0x02 ++ }; ++ DH *dh = DH_new(); ++ BIGNUM *dhp_bn, *dhg_bn; ++ ++ if (dh == NULL) ++ return NULL; ++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); ++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL ++ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); ++ return NULL; ++ } ++ return dh; ++} +--- a/macros/ax_nagios_get_ssl ++++ b/macros/ax_nagios_get_ssl +@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then + # Find the openssl program + + if test x$need_dh = xyes; then +- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH) + AC_DEFINE(USE_SSL_DH) +- # Generate DH parameters +- if test -f "$sslbin"; then +- echo "" +- echo "*** Generating DH Parameters for SSL/TLS ***" +- # awk to strip off meta data at bottom of dhparam output +- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h +- fi + fi + fi + fi diff --git a/debian/patches/series b/debian/patches/series index 95a107c..15e2844 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 02_nrpe.cfg_local-include_support_nrpe.d.patch 07_warn_ssloption.patch +11_reproducible_dh.h.patch diff --git a/debian/rules b/debian/rules index 52c915e..12df244 100755 --- a/debian/rules +++ b/debian/rules @@ -12,7 +12,6 @@ export AUTOHEADER=true %: dh $@ --with autoreconf,systemd --parallel -# dh $@ --with autoreconf --parallel override_dh_auto_configure: dh_auto_configure -- \ @@ -22,11 +21,9 @@ override_dh_auto_configure: --libexecdir=/usr/lib/nagios/plugins \ --localstatedir=/var \ --enable-ssl \ - --with-need-dh=no \ + --with-logdir=/var/log \ --with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \ - --with-piddir=/var/run/nagios \ - --enable-command-args \ - --enable-bash-command-substitution + --with-piddir=/var/run/nagios override_dh_auto_build: dh_auto_build -- all diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..3b18c6d --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,3 @@ +# Test installability +Depends: @ +Test-Command: /bin/true diff --git a/debian/watch b/debian/watch index 13c2bb4..b512ed5 100644 --- a/debian/watch +++ b/debian/watch @@ -1,5 +1,7 @@ version=3 opts=\ dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\ -uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g \ -http://sf.net/nagios/nrpe-([\d\.]+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz))) +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g,\ +filenamemangle=s/(?:.*?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))/nrpe-$1.$2/ \ +https://github.com/NagiosEnterprises/nrpe/releases \ +(?:.*?/archive\/)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))