Imported Debian patch 3.2.1-1

This commit is contained in:
Bas Couwenberg 2017-09-03 10:52:40 +02:00 committed by Mario Fetka
parent 4a36dbfc28
commit 95cae8cb0c
14 changed files with 183 additions and 35 deletions

25
debian/NEWS vendored
View File

@ -1,3 +1,28 @@
nagios-nrpe (3.2.0-2) unstable; urgency=medium
The bug that caused the SSL support between NRPE 2.x and 3.x not
to work has been fixed.
Because the default SSL support without certificates configured
in nrpe.cfg uses pre-generated key data, configuring SSL
certificates is strongly advised when STunnel is not used.
The ssl-cert package can be used to generate a self-signed
certificate, but CA certificates like those from Let's Encrypt
are a better choice.
SSL support has been re-enabled by default, to be better compatible
with previous NRPE versions where SSL support was enabled by default
too.
The check_nrpe command definition has been updated to enable SSL
support (by removing the -n option) and the check_nrpe_ssl command
definition has been removed. The previous check_nrpe command
definition which disables SSL support is available with the new
check_nrpe_nossl command definition.
-- Bas Couwenberg <sebastic@debian.org> Fri, 07 Jul 2017 13:48:38 +0200
nagios-nrpe (3.0.1-1) unstable; urgency=medium nagios-nrpe (3.0.1-1) unstable; urgency=medium
The check_nrpe command definition has been updated to remove the The check_nrpe command definition has been updated to remove the

46
debian/changelog vendored
View File

@ -1,8 +1,48 @@
nagios-nrpe (3.2.1-1) UNRELEASED; urgency=medium nagios-nrpe (3.2.1-1) unstable; urgency=medium
* New Version * New upstream release.
* Drop patches included upstream, refresh remaining patches.
-- Mario Fetka <mario.fetka@gmail.com> Thu, 02 Nov 2017 09:56:43 +0100 -- Bas Couwenberg <sebastic@debian.org> Sun, 03 Sep 2017 10:52:40 +0200
nagios-nrpe (3.2.0-4) unstable; urgency=medium
* Add upstream patch to turn seteuid errors into warnings.
(closes: #868326)
-- Bas Couwenberg <sebastic@debian.org> Fri, 14 Jul 2017 16:51:12 +0200
nagios-nrpe (3.2.0-3) unstable; urgency=medium
* Re-enable SSL support by default.
Compatibility with older versions has been fixed.
-- Bas Couwenberg <sebastic@debian.org> Fri, 07 Jul 2017 14:08:13 +0200
nagios-nrpe (3.2.0-2) unstable; urgency=medium
* Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined.
Thanks to Johan Carlquist for pointing out this issue.
* Drop --with-need-dh=no configure option, dh is needed.
* Remove deterministic "openssl dhparam" output handling,
dh.h not included in upstream source.
-- Bas Couwenberg <sebastic@debian.org> Thu, 06 Jul 2017 14:33:39 +0200
nagios-nrpe (3.2.0-1) unstable; urgency=medium
* New upstream release.
(closes: #565643)
* Bump Standards-Version to 4.0.0, no changes.
* Add autopkgtest to test installability.
* Set --with-logdir configure option to /var/log.
* Update watch file for GitHub releases.
* Update copyright file.
* Refresh patches.
* Reinstate 11_reproducible_dh.h.patch for reproducible dh.h.
* Regenerate dh.h with OpenSSL 1.1.0.
-- Bas Couwenberg <sebastic@debian.org> Wed, 05 Jul 2017 09:53:06 +0200
nagios-nrpe (3.1.1-1) unstable; urgency=medium nagios-nrpe (3.1.1-1) unstable; urgency=medium

14
debian/check_nrpe.cfg vendored
View File

@ -1,11 +1,11 @@
# this command runs a program $ARG1$ with no arguments and disables SSL support
define command {
command_name check_nrpe
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
}
# this command runs a program $ARG1$ with no arguments and enables SSL support # this command runs a program $ARG1$ with no arguments and enables SSL support
define command { define command {
command_name check_nrpe_ssl command_name check_nrpe
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
} }
# this command runs a program $ARG1$ with no arguments and disables SSL support
define command {
command_name check_nrpe_nossl
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
}

2
debian/control vendored
View File

@ -9,7 +9,7 @@ Build-Depends: debhelper (>= 9),
libssl-dev, libssl-dev,
libwrap0-dev, libwrap0-dev,
openssl openssl
Standards-Version: 3.9.8 Standards-Version: 4.0.0
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git
Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git
Homepage: https://github.com/NagiosEnterprises/nrpe Homepage: https://github.com/NagiosEnterprises/nrpe

5
debian/copyright vendored
View File

@ -4,8 +4,9 @@ Upstream-Contact: Nagios Users List <nagios-users@lists.nagios.com>
Source: https://github.com/NagiosEnterprises/nrpe Source: https://github.com/NagiosEnterprises/nrpe
Files: * Files: *
Copyright: 1999-2008, Ethan Galstad (nagios@nagios.org) Copyright: 2006-2017, Nagios Enterprises
2009, Nagios Core Development Team and Community Contributors 2016, Nagios Core Development Team
1999-2008, Ethan Galstad (nagios@nagios.org)
License: GPL-2+ with OpenSSL exception License: GPL-2+ with OpenSSL exception
Files: include/acl.h Files: include/acl.h

View File

@ -5,9 +5,7 @@
# nrpe daemon. # nrpe daemon.
# #
# The -n option disables SSL support. # The -n option disables SSL support.
# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg! #NRPE_OPTS="-n"
# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.
NRPE_OPTS="-n"
# NICENESS is if you want to run the server at a different nice() priority. # NICENESS is if you want to run the server at a different nice() priority.
# (only used by the init script) # (only used by the init script)

View File

@ -19,5 +19,5 @@ ExecStopPost=/bin/rm -f /var/run/nagios/nrpe.pid
TimeoutStopSec=60 TimeoutStopSec=60
User=nagios User=nagios
Group=nagios Group=nagios
PrivateTmp=false PrivateTmp=true
OOMScoreAdjust=-500 OOMScoreAdjust=-500

View File

@ -5,10 +5,12 @@ Forwarded: not-needed
--- a/sample-config/nrpe.cfg.in --- a/sample-config/nrpe.cfg.in
+++ b/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in
@@ -317,3 +317,14 @@ command[check_total_procs]=@pluginsdir@/ @@ -359,3 +359,16 @@ command[check_total_procs]=@pluginsdir@/
#command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ #include_dir=<somedirectory>
#command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ #include_dir=<someotherdirectory>
+
+
+ +
+# local configuration: +# local configuration:
+# if you'd prefer, you can instead place directives here +# if you'd prefer, you can instead place directives here

View File

@ -4,19 +4,19 @@ Forwarded: not-needed
--- a/SECURITY.md --- a/SECURITY.md
+++ b/SECURITY.md +++ b/SECURITY.md
@@ -82,14 +82,17 @@ daemon should run as. @@ -91,14 +91,17 @@ Encryption
#### ENCRYPTION #### ----------
If you do enable support for command arguments in the NRPE daemon, If you do enable support for command arguments in the NRPE daemon,
-make sure that you encrypt communications either by using: -make sure that you encrypt communications either by using:
- -
- 1. Stunnel (see http://www.stunnel.org for more info) - 1. Stunnel (see http://www.stunnel.org for more info)
- 2. Native SSL support (See the `README.SSL.md` file for more info) - 2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
+make sure that you encrypt communications by using, for example, +make sure that you encrypt communications by using, for example,
+Stunnel (see http://www.stunnel.org for more info). +Stunnel (see http://www.stunnel.org for more info).
*Do NOT* assume that just because the daemon is behind a firewall Do **NOT** assume that just because the daemon is behind a firewall
that you are safe! Always encrypt NRPE traffic! that you are safe! ***Always encrypt NRPE traffic!***
+NOTE: the currently shipped native SSL support of NRPE is not an +NOTE: the currently shipped native SSL support of NRPE is not an
+adequante protection, because it does not verify clients and +adequante protection, because it does not verify clients and
@ -24,5 +24,5 @@ Forwarded: not-needed
+advised against. For more information, see Debian bug #547092. +advised against. For more information, see Debian bug #547092.
+ +
#### USING ARGUMENTS #### Using Arguments
---------------

View File

@ -0,0 +1,79 @@
Description: Use pre-generated dh.h for reproducible builds.
Author: Bas Couwenberg <sebastic@debian.org>
Bug-Debian: https://bugs.debian.org/834857
Forwarded: not-needed
--- /dev/null
+++ b/include/dh.h
@@ -0,0 +1,53 @@
+#ifndef HEADER_DH_H
+# include <openssl/dh.h>
+#endif
+
+DH *get_dh2048()
+{
+ static unsigned char dhp_2048[] = {
+ 0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA,
+ 0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73,
+ 0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48,
+ 0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8,
+ 0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97,
+ 0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1,
+ 0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62,
+ 0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA,
+ 0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3,
+ 0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3,
+ 0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E,
+ 0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57,
+ 0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD,
+ 0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93,
+ 0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC,
+ 0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8,
+ 0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7,
+ 0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73,
+ 0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51,
+ 0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26,
+ 0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2,
+ 0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9,
+ 0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32,
+ 0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E,
+ 0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF,
+ 0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B
+ };
+ static unsigned char dhg_2048[] = {
+ 0x02
+ };
+ DH *dh = DH_new();
+ BIGNUM *dhp_bn, *dhg_bn;
+
+ if (dh == NULL)
+ return NULL;
+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+ if (dhp_bn == NULL || dhg_bn == NULL
+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return NULL;
+ }
+ return dh;
+}
--- a/macros/ax_nagios_get_ssl
+++ b/macros/ax_nagios_get_ssl
@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then
# Find the openssl program
if test x$need_dh = xyes; then
- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
AC_DEFINE(USE_SSL_DH)
- # Generate DH parameters
- if test -f "$sslbin"; then
- echo ""
- echo "*** Generating DH Parameters for SSL/TLS ***"
- # awk to strip off meta data at bottom of dhparam output
- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
- fi
fi
fi
fi

View File

@ -1,2 +1,3 @@
02_nrpe.cfg_local-include_support_nrpe.d.patch 02_nrpe.cfg_local-include_support_nrpe.d.patch
07_warn_ssloption.patch 07_warn_ssloption.patch
11_reproducible_dh.h.patch

7
debian/rules vendored
View File

@ -12,7 +12,6 @@ export AUTOHEADER=true
%: %:
dh $@ --with autoreconf,systemd --parallel dh $@ --with autoreconf,systemd --parallel
# dh $@ --with autoreconf --parallel
override_dh_auto_configure: override_dh_auto_configure:
dh_auto_configure -- \ dh_auto_configure -- \
@ -22,11 +21,9 @@ override_dh_auto_configure:
--libexecdir=/usr/lib/nagios/plugins \ --libexecdir=/usr/lib/nagios/plugins \
--localstatedir=/var \ --localstatedir=/var \
--enable-ssl \ --enable-ssl \
--with-need-dh=no \ --with-logdir=/var/log \
--with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-piddir=/var/run/nagios \ --with-piddir=/var/run/nagios
--enable-command-args \
--enable-bash-command-substitution
override_dh_auto_build: override_dh_auto_build:
dh_auto_build -- all dh_auto_build -- all

3
debian/tests/control vendored Normal file
View File

@ -0,0 +1,3 @@
# Test installability
Depends: @
Test-Command: /bin/true

6
debian/watch vendored
View File

@ -1,5 +1,7 @@
version=3 version=3
opts=\ opts=\
dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\ dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\
uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g \ uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g,\
http://sf.net/nagios/nrpe-([\d\.]+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz))) filenamemangle=s/(?:.*?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))/nrpe-$1.$2/ \
https://github.com/NagiosEnterprises/nrpe/releases \
(?:.*?/archive\/)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))