Imported Debian patch 3.2.1-1

debian/NEWS

@@ -1,3 +1,28 @@
+nagios-nrpe (3.2.0-2) unstable; urgency=medium
+
+  The bug that caused the SSL support between NRPE 2.x and 3.x not
+  to work has been fixed.
+
+  Because the default SSL support without certificates configured
+  in nrpe.cfg uses pre-generated key data, configuring SSL
+  certificates is strongly advised when STunnel is not used.
+
+  The ssl-cert package can be used to generate a self-signed
+  certificate, but CA certificates like those from Let's Encrypt
+  are a better choice.
+
+  SSL support has been re-enabled by default, to be better compatible
+  with previous NRPE versions where SSL support was enabled by default
+  too.
+
+  The check_nrpe command definition has been updated to enable SSL
+  support (by removing the -n option) and the check_nrpe_ssl command
+  definition has been removed. The previous check_nrpe command
+  definition which disables SSL support is available with the new
+  check_nrpe_nossl command definition.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Fri, 07 Jul 2017 13:48:38 +0200
+
 nagios-nrpe (3.0.1-1) unstable; urgency=medium
 
   The check_nrpe command definition has been updated to remove the

debian/changelog

@@ -1,8 +1,48 @@
-nagios-nrpe (3.2.1-1) UNRELEASED; urgency=medium
+nagios-nrpe (3.2.1-1) unstable; urgency=medium
 
-  * New Version
+  * New upstream release.
+  * Drop patches included upstream, refresh remaining patches.
 
- -- Mario Fetka <mario.fetka@gmail.com>  Thu, 02 Nov 2017 09:56:43 +0100
+ -- Bas Couwenberg <sebastic@debian.org>  Sun, 03 Sep 2017 10:52:40 +0200
+
+nagios-nrpe (3.2.0-4) unstable; urgency=medium
+
+  * Add upstream patch to turn seteuid errors into warnings.
+    (closes: #868326)
+
+ -- Bas Couwenberg <sebastic@debian.org>  Fri, 14 Jul 2017 16:51:12 +0200
+
+nagios-nrpe (3.2.0-3) unstable; urgency=medium
+
+  * Re-enable SSL support by default.
+    Compatibility with older versions has been fixed.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Fri, 07 Jul 2017 14:08:13 +0200
+
+nagios-nrpe (3.2.0-2) unstable; urgency=medium
+
+  * Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined.
+    Thanks to Johan Carlquist for pointing out this issue.
+  * Drop --with-need-dh=no configure option, dh is needed.
+  * Remove deterministic "openssl dhparam" output handling,
+    dh.h not included in upstream source.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Thu, 06 Jul 2017 14:33:39 +0200
+
+nagios-nrpe (3.2.0-1) unstable; urgency=medium
+
+  * New upstream release.
+    (closes: #565643)
+  * Bump Standards-Version to 4.0.0, no changes.
+  * Add autopkgtest to test installability.
+  * Set --with-logdir configure option to /var/log.
+  * Update watch file for GitHub releases.
+  * Update copyright file.
+  * Refresh patches.
+  * Reinstate 11_reproducible_dh.h.patch for reproducible dh.h.
+  * Regenerate dh.h with OpenSSL 1.1.0.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Wed, 05 Jul 2017 09:53:06 +0200
 
 nagios-nrpe (3.1.1-1) unstable; urgency=medium
 

debian/check_nrpe.cfg

@@ -1,11 +1,11 @@
-# this command runs a program $ARG1$ with no arguments and disables SSL support
-define command {
-	command_name	check_nrpe
-	command_line	/usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
-}
-
 # this command runs a program $ARG1$ with no arguments and enables SSL support
 define command {
-	command_name	check_nrpe_ssl
+	command_name	check_nrpe
 	command_line	/usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
 }
+
+# this command runs a program $ARG1$ with no arguments and disables SSL support
+define command {
+	command_name	check_nrpe_nossl
+	command_line	/usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
+}

debian/control

@@ -9,7 +9,7 @@ Build-Depends: debhelper (>= 9),
                libssl-dev,
                libwrap0-dev,
                openssl
-Standards-Version: 3.9.8
+Standards-Version: 4.0.0
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git
 Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git
 Homepage: https://github.com/NagiosEnterprises/nrpe

debian/copyright

@@ -4,8 +4,9 @@ Upstream-Contact: Nagios Users List <nagios-users@lists.nagios.com>
 Source: https://github.com/NagiosEnterprises/nrpe
 
 Files: *
-Copyright: 1999-2008, Ethan Galstad (nagios@nagios.org)
-                2009, Nagios Core Development Team and Community Contributors
+Copyright: 2006-2017, Nagios Enterprises
+                2016, Nagios Core Development Team
+           1999-2008, Ethan Galstad (nagios@nagios.org)
 License: GPL-2+ with OpenSSL exception
 
 Files: include/acl.h

debian/nagios-nrpe-server.default

@@ -5,9 +5,7 @@
 # nrpe daemon.
 #
 # The -n option disables SSL support.
-# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg!
-# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.
-NRPE_OPTS="-n"
+#NRPE_OPTS="-n"
 
 # NICENESS is if you want to run the server at a different nice() priority.
 # (only used by the init script)

debian/nagios-nrpe-server.service

@@ -19,5 +19,5 @@ ExecStopPost=/bin/rm -f /var/run/nagios/nrpe.pid
 TimeoutStopSec=60
 User=nagios
 Group=nagios
-PrivateTmp=false
+PrivateTmp=true
 OOMScoreAdjust=-500

debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch

@@ -5,10 +5,12 @@ Forwarded: not-needed
 
 --- a/sample-config/nrpe.cfg.in
 +++ b/sample-config/nrpe.cfg.in
-@@ -317,3 +317,14 @@ command[check_total_procs]=@pluginsdir@/
- #command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$
- #command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
- #command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+@@ -359,3 +359,16 @@ command[check_total_procs]=@pluginsdir@/
+ 
+ #include_dir=<somedirectory>
+ #include_dir=<someotherdirectory>
++
++
 +
 +# local configuration:
 +# if you'd prefer, you can instead place directives here

debian/patches/07_warn_ssloption.patch

@@ -4,19 +4,19 @@ Forwarded: not-needed
 
 --- a/SECURITY.md
 +++ b/SECURITY.md
-@@ -82,14 +82,17 @@ daemon should run as.
- #### ENCRYPTION ####
+@@ -91,14 +91,17 @@ Encryption
+ ----------
  
  If you do enable support for command arguments in the NRPE daemon,
 -make sure that you encrypt communications either by using:
 -
 -   1.  Stunnel (see http://www.stunnel.org for more info)
--   2.  Native SSL support (See the `README.SSL.md` file for more info)
+-   2.  Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
 +make sure that you encrypt communications by using, for example,
 +Stunnel (see http://www.stunnel.org for more info).
  
- *Do NOT* assume that just because the daemon is behind a firewall
- that you are safe!  Always encrypt NRPE traffic!
+ Do **NOT** assume that just because the daemon is behind a firewall
+ that you are safe! ***Always encrypt NRPE traffic!***
  
 +NOTE: the currently shipped native SSL support of NRPE is not an
 +adequante protection, because it does not verify clients and
@@ -24,5 +24,5 @@ Forwarded: not-needed
 +advised against. For more information, see Debian bug #547092.
 +
  
- #### USING ARGUMENTS ####
- 
+ Using Arguments
+ ---------------

debian/patches/11_reproducible_dh.h.patch

@@ -0,0 +1,79 @@
+Description: Use pre-generated dh.h for reproducible builds.
+Author: Bas Couwenberg <sebastic@debian.org>
+Bug-Debian: https://bugs.debian.org/834857
+Forwarded: not-needed
+
+--- /dev/null
++++ b/include/dh.h
+@@ -0,0 +1,53 @@
++#ifndef HEADER_DH_H
++# include <openssl/dh.h>
++#endif
++
++DH *get_dh2048()
++{
++    static unsigned char dhp_2048[] = {
++	0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA, 
++	0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73, 
++	0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48, 
++	0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8, 
++	0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97, 
++	0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1, 
++	0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62, 
++	0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA, 
++	0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3, 
++	0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3, 
++	0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E, 
++	0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57, 
++	0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD, 
++	0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93, 
++	0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC, 
++	0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8, 
++	0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7, 
++	0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73, 
++	0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51, 
++	0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26, 
++	0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2, 
++	0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9, 
++	0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32, 
++	0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E, 
++	0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF, 
++	0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B
++    };
++    static unsigned char dhg_2048[] = {
++	0x02
++    };
++    DH *dh = DH_new();
++    BIGNUM *dhp_bn, *dhg_bn;
++
++    if (dh == NULL)
++        return NULL;
++    dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
++    dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
++    if (dhp_bn == NULL || dhg_bn == NULL
++            || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++        DH_free(dh);
++        BN_free(dhp_bn);
++        BN_free(dhg_bn);
++        return NULL;
++    }
++    return dh;
++}
+--- a/macros/ax_nagios_get_ssl
++++ b/macros/ax_nagios_get_ssl
+@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then
+ 		# Find the openssl program
+ 
+ 		if test x$need_dh = xyes; then
+-			AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
+ 			AC_DEFINE(USE_SSL_DH)
+-			# Generate DH parameters
+-			if test -f "$sslbin"; then
+-				echo ""
+-				echo "*** Generating DH Parameters for SSL/TLS ***"
+-				# awk to strip off meta data at bottom of dhparam output
+-				$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+-			fi
+ 		fi
+ 	fi
+ fi

debian/patches/series

@@ -1,2 +1,3 @@
 02_nrpe.cfg_local-include_support_nrpe.d.patch
 07_warn_ssloption.patch
+11_reproducible_dh.h.patch

debian/rules

@@ -12,7 +12,6 @@ export AUTOHEADER=true
 
 %:
 	    dh $@ --with autoreconf,systemd --parallel
-#	    dh $@ --with autoreconf --parallel
 
 override_dh_auto_configure:
 	dh_auto_configure -- \
@@ -22,11 +21,9 @@ override_dh_auto_configure:
 		--libexecdir=/usr/lib/nagios/plugins \
 		--localstatedir=/var \
 		--enable-ssl \
-		--with-need-dh=no \
+		--with-logdir=/var/log \
 		--with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \
-		--with-piddir=/var/run/nagios \
-		--enable-command-args \
-		--enable-bash-command-substitution
+		--with-piddir=/var/run/nagios
 
 override_dh_auto_build:
 	dh_auto_build -- all

debian/tests/control

@@ -0,0 +1,3 @@
+# Test installability
+Depends: @
+Test-Command: /bin/true

debian/watch

@@ -1,5 +1,7 @@
 version=3
 opts=\
 dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\
-uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g \
-http://sf.net/nagios/nrpe-([\d\.]+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g,\
+filenamemangle=s/(?:.*?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))/nrpe-$1.$2/ \
+https://github.com/NagiosEnterprises/nrpe/releases \
+(?:.*?/archive\/)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))