Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nrpe for openSUSE:Factory checked in at 2021-01-29 14:57:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nrpe (Old) and /work/SRC/openSUSE:Factory/.nrpe.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nrpe" Fri Jan 29 14:57:33 2021 rev:13 rq:867677 version:4.0.3 Changes: -------- --- /work/SRC/openSUSE:Factory/nrpe/nrpe.changes 2020-08-14 13:11:42.445264560 +0200 +++ /work/SRC/openSUSE:Factory/.nrpe.new.28504/nrpe.changes 2021-01-29 14:57:49.605573805 +0100 @@ -1,0 +2,43 @@ +Fri Jan 22 09:32:47 UTC 2021 - Lars Vogdt <[email protected]> + +- update to 4.0.3 + ENHANCEMENTS + * Added TLSv1.3 and TLSv1.3+ support for systems that have it (Nigel Yong, Rahul Golam) + * Added IPv6 ip address to list of default allow_from hosts (Troy Lea) + * Added -D option to disable logging to syslog (Tom Griep, Sebastian Wolf) + * Added -3 option to force check_nrpe to use NRPE v3 packets + * OpenRC: provide a default path for nrpe.cfg (Michael Orlitzky) + * OpenRC: Use RC_SVCNAME over a hard-coded PID file (j-licht) + FIXES + * Fixed nasty_metachars not being read from config file (#235) (Sebastian Wolf) + * Fixed buffer length calculations/writing past memory boundaries + on some systems (#227, #228) (Andreas Baumann, hariwe, Sebastian Wolf) + * Fixed use of uninitialized variable when validating requests (#229) (hariwe, Sebastian Wolf) + * Fixed syslog flooding with CRC-checking errors when both plugin + and agent were updated to version 4 (Sebastian Wolf) + * Checks for '!' now only occur inside the command buffer (Joni Eskelinen) + * NRPE daemon is more resilient to DOS attacks (Leonid Vasiliev) + * allowed_hosts will no longer test getaddrinfo records against the + wrong protocol (dombenson) + * nasty_metachars will now handle C escape sequences properly when + specified in the config file (Sebastian Wolf) + * Calculated packet sizes now struct padding/alignment when sending + and receiving messages (Sebastian Wolf) + * Buffer sizes are now checked before use in packet size calculation (Sebastian Wolf) + * When using include_dir, individual files' errors do not prevent + the remaining files from being read (Sebastian Wolf) +- refreshed the following patches: + * nrpe-implicit_declaration.patch + * nrpe-improved_help.patch + * nrpe_check_control.patch +- renamed and refreshed the following patches/sources: + * nrpe-3.2.1-disable-chkconfig_in_Makefile.patch + -> nrpe-disable-chkconfig_in_Makefile.patch + * nrpe-3.2.1-static_dh_parameters.patch + -> nrpe-static_dh_parameters.patch + * nrpe-3.2.1-dh.h -> nrpe-dh.h +- enhanced README.SUSE with some words about Apparmor +- added an include directive in usr.sbin.nrpe apparmor config + and a basic local/usr.sbin.nrpe file in the docu-directory + +------------------------------------------------------------------- Old: ---- nrpe-3.2.1-dh.h nrpe-3.2.1-disable-chkconfig_in_Makefile.patch nrpe-3.2.1-static_dh_parameters.patch nrpe-3.2.1.tar.bz2 New: ---- nrpe-4.0.3.tar.bz2 nrpe-dh.h nrpe-disable-chkconfig_in_Makefile.patch nrpe-static_dh_parameters.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nrpe.spec ++++++ --- /var/tmp/diff_new_pack.t9CzQu/_old 2021-01-29 14:57:50.349574900 +0100 +++ /var/tmp/diff_new_pack.t9CzQu/_new 2021-01-29 14:57:50.353574906 +0100 @@ -1,7 +1,7 @@ # # spec file for package nrpe # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -38,7 +38,7 @@ %bcond_with reproducable %endif Name: nrpe -Version: 3.2.1 +Version: 4.0.3 Release: 0 Summary: Nagios Remote Plug-In Executor License: GPL-2.0-or-later @@ -54,7 +54,7 @@ Source11: README.SUSE.systemd-addon Source12: usr.sbin.nrpe Source13: nrpe.xml -Source14: nrpe-3.2.1-dh.h +Source14: nrpe-dh.h # PATCH-FIX-UPSTREAM improve help output of nrpe and check_nrpe Patch2: nrpe-improved_help.patch # PATCH-FIX-openSUSE fix pathnames for nrpe_check_control command @@ -62,9 +62,9 @@ # PATCH-FIX-UPSTREAM using implicit definitions of functions Patch5: nrpe-implicit_declaration.patch # PATCH-FIX-openSUSE patch used to NOT re-calculate dh.h parameters (for reproducable builds) -Patch6: nrpe-3.2.1-static_dh_parameters.patch +Patch6: nrpe-static_dh_parameters.patch # PATCH-FIX-openSUSE disable chkconfig call in Makefile -Patch7: nrpe-3.2.1-disable-chkconfig_in_Makefile.patch +Patch7: nrpe-disable-chkconfig_in_Makefile.patch BuildRequires: monitoring-plugins-common BuildRequires: nagios-rpm-macros Requires(pre): grep @@ -145,7 +145,7 @@ execution on the remote host for its own output and return code. %prep -%setup -q -n %{name}-%{name}-%{version} +%setup -q -n %{name}-%{version} %patch2 -p1 %patch4 -p1 %patch5 -p1 @@ -268,6 +268,8 @@ install -Dm755 update-cfg.pl %{buildroot}/%{_defaultdocdir}/%{name}/examples/update-cfg.pl # ...and also the files we want in the main package install -m644 CHANGELOG.md README.SUSE README.md usr.sbin.nrpe %{buildroot}/%{_defaultdocdir}/%{name}/ +mkdir -p %{buildroot}/%{_defaultdocdir}/%{name}/local +echo "# Site-specific additions and overrides for 'usr.sbin.nrpe'" > %{buildroot}/%{_defaultdocdir}/%{name}/local/usr.sbin.nrpe # remove the uninstall script: this is done by RPM rm %{buildroot}/%{_sbindir}/nrpe-uninstall @@ -376,6 +378,8 @@ %doc %{_defaultdocdir}/%{name}/README.md %doc %{_defaultdocdir}/%{name}/CHANGELOG.md %doc %{_defaultdocdir}/%{name}/usr.sbin.nrpe +%dir %{_defaultdocdir}/%{name}/local +%doc %{_defaultdocdir}/%{name}/local/usr.sbin.nrpe %doc %{_defaultdocdir}/%{name}/examples/update-cfg.pl %{_mandir}/man8/nrpe.8%{?ext_man} %dir %{_sysconfdir}/nrpe.d ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.t9CzQu/_old 2021-01-29 14:57:50.389574959 +0100 +++ /var/tmp/diff_new_pack.t9CzQu/_new 2021-01-29 14:57:50.389574959 +0100 @@ -43,4 +43,32 @@ will open the standard ports for SSH and NRPE on the external interface. += Apparmor and nrpe = + +You can find a working apparmor profile for /usr/sbin/nrpe right beside +this README.SUSE file. Please note that this (usr.sbin.nrpe) file has +an include for local changes. + +If you want to activate Apparmor protection for your nrpe binary, please +copy the usr.sbin.nrpe file together with the file in the local/-subdirectory +to the Apparmor configuration directory: + ~# cp /usr/share/doc/packages/nrpe/usr.sbin.nrpe /etc/apparmor.d/ + ~# cp /usr/share/doc/packages/nrpe/local/usr.sbin.nrpe /etc/apparmor.d/local/ +after that, please reload Apparmor and restart your NRPE daemon: + ~# rcapparmor reload + ~# rcnrpe try-restart + +Please remember that checks, that should be executed by NRPE, need an +entry in /etc/apparmor.d/local/usr.sbin.nrpe - you can already +find some examples in the /usr/share/doc/packages/nrpe/usr.sbin.nrpe file. + +If you encounter problems with the Apparmor profile, do not hesitate to +open a bugreport at https://bugzilla.opensuse.org/ + +You can debug your Apparmor profile by installing and activating auditd +and (after a restart of Apparmor and auditd) look into the log at: + /var/log/audit/audit.log + +----- + Have a lot of fun! ++++++ nrpe-3.2.1.tar.bz2 -> nrpe-4.0.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/CHANGELOG.md new/nrpe-4.0.3/CHANGELOG.md --- old/nrpe-nrpe-3.2.1/CHANGELOG.md 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/CHANGELOG.md 2020-04-28 23:10:40.000000000 +0200 @@ -1,6 +1,46 @@ NRPE Changelog ============== +[4.0.3](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.3) - 2020-04-28 +--------------------------------------------------------------------------------------- +**FIXES** +- Fixed nasty_metachars not being read from config file (#235) (Sebastian Wolf) + +[4.0.2](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.2) - 2020-03-11 +--------------------------------------------------------------------------------------- +**FIXES** +- Fixed buffer length calculations/writing past memory boundaries on some systems (#227, #228) (Andreas Baumann, hariwe, Sebastian Wolf) +- Fixed use of uninitialized variable when validating requests (#229) (hariwe, Sebastian Wolf) + +[4.0.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.1) - 2020-01-22 +--------------------------------------------------------------------------------------- +**FIXES** +* Fixed syslog flooding with CRC-checking errors when both plugin and agent were updated to version 4 (Sebastian Wolf) + +[4.0.0](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.0) - 2019-01-13 +--------------------------------------------------------------------------------------- +Note: This update includes security fixes which affect both the check_nrpe plugin and +the NRPE daemon. The latest version of NRPE is still able to interoperate with previous +versions, but for best results, both programs should be updated. + +**ENHANCEMENTS** +* Added TLSv1.3 and TLSv1.3+ support for systems that have it (Nigel Yong, Rahul Golam) +* Added IPv6 ip address to list of default allow_from hosts (Troy Lea) +* Added -D option to disable logging to syslog (Tom Griep, Sebastian Wolf) +* Added -3 option to force check_nrpe to use NRPE v3 packets +* OpenRC: provide a default path for nrpe.cfg (Michael Orlitzky) +* OpenRC: Use RC_SVCNAME over a hard-coded PID file (j-licht) + +**FIXES** +* Checks for '!' now only occur inside the command buffer (Joni Eskelinen) +* NRPE daemon is more resilient to DOS attacks (Leonid Vasiliev) +* allowed_hosts will no longer test getaddrinfo records against the wrong protocol (dombenson) +* nasty_metachars will now handle C escape sequences properly when specified in the config file (Sebastian Wolf) +* Calculated packet sizes now struct padding/alignment when sending and receiving messages (Sebastian Wolf) +* Buffer sizes are now checked before use in packet size calculation (Sebastian Wolf) +* When using `include_dir`, individual files' errors do not prevent the remaining files from being read (Sebastian Wolf) + + [3.2.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.2.1) - 2017-08-31 --------------------------------------------------------------------------------------- **FIXES** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/CONTRIBUTING.md new/nrpe-4.0.3/CONTRIBUTING.md --- old/nrpe-nrpe-3.2.1/CONTRIBUTING.md 1970-01-01 01:00:00.000000000 +0100 +++ new/nrpe-4.0.3/CONTRIBUTING.md 2020-04-28 23:10:40.000000000 +0200 @@ -0,0 +1,164 @@ +# Contributing + +Thank you for considering contributing your time and effort to this Nagios project. +This document serves as our guidelines for contribution. Keep in mind that these +are simply *guidelines* - nothing here is set in stone. + +## Questions + +If you have a question, you don't need to file an Issue. You can simply connect +with the Nagios Support Team via the +[Nagios Support Forum](https://support.nagios.com/forum/). + +Not to say that you **can't** open an Issue - but you'll likely get a much faster +response by posting it on the forum. + +## Ideas + +If you have an idea your best bet is to open an Issue. This gets it on the radar much +quicker than any other method. + +First, let's define what an "Idea" really is. An Idea is simply an +[Enhancement](#enhancements) request in its infancy. +There's really nothing to it! + +Something as simple as "I think that this project should somehow connect with a +widget" is a valid Idea. + +These are unrefined and raw. That's why you open an issue - so everyone gets a chance +to chime in and come up with a plan! + +## Feedback + +Feedback can be given via several methods. The *easiest* method is by opening an Issue. +You're more than welcome to leave feedback on the +[Nagios Support Forum](https://support.nagios.com/forum/) as well. + +By opening an Issue, however, you're insuring that the maintainers and reviewers are +the first ones to see the feedback. In most cases, this is likely ideal. + +## Bugs + +Here's where it starts to get serious. + +Following the guidelines outlined in this section allows the maintainers, developers, and +community to understand and reproduce your bug report. + +Make sure to search existing open and closed [Issues](https://guides.github.com/features/issues/) +before opening a bug report. If you find a closed Issue that seems like it's the same +thing that you're experiencing, open a new Issue and include a link to the original Issue +in the body of the new one. + +**If you have a bug, you *NEED* to open an Issue.** + +Not only that, but when you open the Issue, this is what we ***absolutely require***: + +* Use a clear and concise title for the Issue to identify the problem accurately + +* Describe the bug with as much detail as you can + +* Include the version of the project containing the bug you're reporting + +* Include your operating system information (`uname -a`) + +* Include a list of third party modules that are installed and/or loaded + +* Explain the behavior you expected to see (and why) vs. what actually happened + +Once you've got that covered - there's still more to include if you want to +make a ***killer*** report: + +* Describe the ***exact steps*** that reproduce the problem + +* Provide **specific** examples to demonstrate those steps + +* If your bug is from an older version, make sure test against the latest (and/or the `maint` branch) + +* Include any screenshots that can help explain the issue + +* Include a file containing `strace` and/or `valgrind` output + +* Explain when the problem started happening: was it after an upgrade? or was it always present? + +* Define how reliably you can reproduce the bug + +* Any other information that you decide is relevant is also welcome + +## Enhancements + +An enhancement is either a completely new feature or an improvement to existing +functionality. We consider it to be a bit different than idea - based solely +on the fact that it's more detailed than an idea would be. + +So you've got an idea for an ehancement? Great! + +Following the guidelines outlined in this section allows maintainers, developers, and +the community to understand your enhancement and determine whether or not it's worth +doing and/or what's involved in carrying it out. + +Make sure to search open and closed Issues and Pull Requests to determine if +someone has either submitted the enhancement. If you feel like your enhancement +is similar to one found, make sure to link the original in your request. + +Enhancements are submitted by opening an Issue. + +Unlike an [Idea](#idea), when you decide to submit your enhancement and open +the Issue, we require at least the following information: + +* Use a clear and descriptive title to illustrate the enhancement you're requesting + +* Describe the current behavior (if it exists) and what changes you think should be made + +* Explain the enhancement in detail - make sure it makes sense and is easily understandable + +* Specify why the enhancement would be useful and who it would be useful to + +* If there is some other project or program where this enhancement already exists, make sure +to link to it + +Beyond that, there are a few more things you can do to make sure you **really** get your +point across: + +* Create a mockup of the enhancement (if applicable) and attach whatever files you can + +* Provide a step-by-step description of the suggested enhancement + +* Generate a fully dressed use-case for the enhancement request + +* Create a specification for the preferred implementation of the enhancement + +* Include a timeline regarding development expectations towards the request + +## Submitting Code + +Everything else in this document has lead up to this moment - how can ***you*** submit +code to the **project**. + +We allow code submissions via [Pull Requests](https://help.github.com/articles/about-pull-requests/). +These let you (and us) discuss and review any changes to code in any repository you've made. + +How to create and manage Pull Requests is outside of the scope of this document, but make +sure to check out GitHub's official documentation ([link here](https://help.github.com/)) +to get a handle on it. + +While you're forking the repository to create a patch or an enhancement, create a *new +branch* to make the change - it will be easier to submit a pull request using a new +branch in your forked repository! + +When you submit a Pull Request, make sure you follow the guidelines: + +* Make sure you're submitting to the proper branch. Branch `maint` is used for the +**next** bugfix release. The next enhancement release branch will vary. + +* ***NEVER*** submit a Pull Request to `master` branch. + +* Keep commit messages as concise as possible. +* Update the appropriate files in regards to your changes: + + * `CHANGES` + + * `THANKS` + +* End all committed files with a newline. + +* Test your changes and include the results as a comment. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/README.md new/nrpe-4.0.3/README.md --- old/nrpe-nrpe-3.2.1/README.md 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/README.md 2020-04-28 23:10:40.000000000 +0200 @@ -2,11 +2,12 @@ [](https://travis-ci.org/NagiosEnterprises/nrpe) -NRPE -==== - -## Nagios Remote Plugin Executor + ???? ???? ???? +***Notice: As of NRPE version 4.0.1, this project is deprecated. It will not receive any more bugfixes or features, except to resolve security issues.*** + ???? ???? ???? +Nagios Remote Plugin Executor (NRPE) +==================================== For installation instructions and information on the design overview of the NRPE addon, please read the PDF documentation that is found in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/configure new/nrpe-4.0.3/configure --- old/nrpe-nrpe-3.2.1/configure 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/configure 2020-04-28 23:10:40.000000000 +0200 @@ -2487,9 +2487,9 @@ PKG_NAME=nrpe -PKG_VERSION="3.2.1" +PKG_VERSION="4.0.3" PKG_HOME_URL="http://www.nagios.org/"; -PKG_REL_DATE="2017-09-01" +PKG_REL_DATE="2020-04-28" RPM_RELEASE=1 LANG=C diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/configure.ac new/nrpe-4.0.3/configure.ac --- old/nrpe-nrpe-3.2.1/configure.ac 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/configure.ac 2020-04-28 23:10:40.000000000 +0200 @@ -11,9 +11,9 @@ AC_PREFIX_DEFAULT(/usr/local/nagios) PKG_NAME=nrpe -PKG_VERSION="3.2.1" +PKG_VERSION="4.0.3" PKG_HOME_URL="http://www.nagios.org/"; -PKG_REL_DATE="2017-09-01" +PKG_REL_DATE="2020-04-28" RPM_RELEASE=1 LANG=C Binary files old/nrpe-nrpe-3.2.1/docs/NRPE.odt and new/nrpe-4.0.3/docs/NRPE.odt differ Binary files old/nrpe-nrpe-3.2.1/docs/NRPE.pdf and new/nrpe-4.0.3/docs/NRPE.pdf differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/include/common.h.in new/nrpe-4.0.3/include/common.h.in --- old/nrpe-nrpe-3.2.1/include/common.h.in 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/include/common.h.in 2020-04-28 23:10:40.000000000 +0200 @@ -37,8 +37,8 @@ # endif #endif -#define PROGRAM_VERSION "3.2.1" -#define MODIFICATION_DATE "2017-09-01" +#define PROGRAM_VERSION "4.0.3" +#define MODIFICATION_DATE "2020-04-28" #define OK 0 #define ERROR -1 @@ -66,12 +66,23 @@ #define QUERY_PACKET 1 /* id code for a packet containing a query */ #define RESPONSE_PACKET 2 /* id code for a packet containing a response */ -#define NRPE_PACKET_VERSION_3 3 /* packet version identifier */ + +/* v4 takes struct padding into account, so the buffer "takes" 4 bytes + * v3 removes the 1 byte that "should" be allocated to buffer. + */ +#define NRPE_V4_PACKET_SIZE_OFFSET 4 +#define NRPE_V3_PACKET_SIZE_OFFSET 1 + +/* packet version identifiers */ +#define NRPE_PACKET_VERSION_4 4 /* Same as version 3, but accounts for struct padding in network code */ +#define NRPE_PACKET_VERSION_3 3 /* Allows for variable-length buffer */ #define NRPE_PACKET_VERSION_2 2 #define NRPE_PACKET_VERSION_1 1 /* older packet version identifiers (no longer supported) */ #define MAX_PACKETBUFFER_LENGTH 1024 /* amount of data to send in one query/response vor version 2 */ +#define NRPE_DEFAULT_PACKET_VERSION NRPE_PACKET_VERSION_4 + typedef struct _v2_packet { int16_t packet_version; int16_t packet_type; @@ -89,6 +100,8 @@ char buffer[1]; } v3_packet; +typedef v3_packet v4_packet; + /**************** OPERATING SYSTEM SPECIFIC DEFINITIONS **********/ #if defined(__sun) || defined(__hpux) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/include/nrpe.h new/nrpe-4.0.3/include/nrpe.h --- old/nrpe-nrpe-3.2.1/include/nrpe.h 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/include/nrpe.h 2020-04-28 23:10:40.000000000 +0200 @@ -24,6 +24,8 @@ * ****************************************************************************/ +#include <limits.h> + typedef struct command_struct { char *command_name; char *command_line; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/include/utils.h new/nrpe-4.0.3/include/utils.h --- old/nrpe-nrpe-3.2.1/include/utils.h 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/include/utils.h 2020-04-28 23:10:40.000000000 +0200 @@ -49,5 +49,6 @@ void logit(int priority, const char *format, ...); void close_log_file(); void display_license(void); +extern int disable_syslog; #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/nrpe.spec.in new/nrpe-4.0.3/nrpe.spec.in --- old/nrpe-nrpe-3.2.1/nrpe.spec.in 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/nrpe.spec.in 2020-04-28 23:10:40.000000000 +0200 @@ -22,7 +22,7 @@ %define _sysconfdir /etc/nagios %define name @PACKAGE_NAME@ -%define version 3.2.1 +%define version 4.0.3 %define release @RPM_RELEASE@ %define nsusr @nrpe_user@ %define nsgrp @nrpe_group@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/sample-config/nrpe.cfg.in new/nrpe-4.0.3/sample-config/nrpe.cfg.in --- old/nrpe-nrpe-3.2.1/sample-config/nrpe.cfg.in 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/sample-config/nrpe.cfg.in 2020-04-28 23:10:40.000000000 +0200 @@ -270,7 +270,9 @@ # nasty_metachars="|`&><'\\[]{};\r\n" - +# This option allows you to enable or disable logging error messages to the syslog facilities. +# If this option is not set, the error messages will be logged. +disable_syslog=0 # COMMAND DEFINITIONS # Command definitions that this daemon will run. Definitions @@ -359,3 +361,9 @@ #include_dir=<somedirectory> #include_dir=<someotherdirectory> + +# KEEP ENVIRONMENT VARIABLES +# This directive allows you to retain specific variables from the environment +# when starting the NRPE daemon. + +#keep_env_vars=NRPE_MULTILINESUPPORT,NRPE_PROGRAMVERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/src/acl.c new/nrpe-4.0.3/src/acl.c --- old/nrpe-nrpe-3.2.1/src/acl.c 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/src/acl.c 2020-04-28 23:10:40.000000000 +0200 @@ -544,31 +544,45 @@ if (!getaddrinfo(dns_acl_curr->domain, NULL, NULL, &res)) { for (ai = res; ai; ai = ai->ai_next) { + if (ai->ai_family == family) { + switch (ai->ai_family) { - switch(ai->ai_family) { + case AF_INET: + if (debug == TRUE) { + tmp.s_addr = ((struct in_addr *) host)->s_addr; + logit(LOG_INFO, "is_an_allowed_host (AF_INET): test match host >%s< " + "for allowed host >%s<\n", + inet_ntoa(tmp), dns_acl_curr->domain); + } - case AF_INET: - if(debug == TRUE) { - tmp.s_addr=((struct in_addr *)host)->s_addr; - logit(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< " - "an allowed host >%s<\n", - inet_ntoa(tmp), dns_acl_curr->domain); - } + addr = (struct sockaddr_in *) (ai->ai_addr); + if (addr->sin_addr.s_addr == ((struct in_addr *) host)->s_addr) { + if (debug == TRUE) + logit(LOG_INFO, "is_an_allowed_host (AF_INET): " + "host is in allowed host list!"); + return 1; + } + break; - addr = (struct sockaddr_in*)(ai->ai_addr); - if (addr->sin_addr.s_addr == ((struct in_addr*)host)->s_addr) { - if (debug == TRUE) - logit(LOG_INFO, "is_an_allowed_host (AF_INET): " - "host is in allowed host list!"); - return 1; + case AF_INET6: + if (debug == TRUE) { + char formattedStr[INET6_ADDRSTRLEN]; + inet_ntop(ai->ai_family, (void *) &(((struct sockaddr_in6 *) (ai->ai_addr))->sin6_addr), + formattedStr, INET6_ADDRSTRLEN); + logit(LOG_INFO, "is_an_allowed_host (AF_INET6): test match host against >%s< " + "for allowed host >%s<\n", + formattedStr, dns_acl_curr->domain); + } + struct in6_addr *resolved = &(((struct sockaddr_in6 *) (ai->ai_addr))->sin6_addr); + memcpy((char *) &addr6, ai->ai_addr, sizeof(addr6)); + if (!memcmp(&addr6.sin6_addr, host, sizeof(addr6.sin6_addr))) { + if (debug == TRUE) + logit(LOG_INFO, "is_an_allowed_host (AF_INET6): " + "host is in allowed host list!"); + return 1; + } + break; } - break; - - case AF_INET6: - memcpy((char*)&addr6, ai->ai_addr, sizeof(addr6)); - if (!memcmp(&addr6.sin6_addr, &host, sizeof(addr6.sin6_addr))) - return 1; - break; } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/src/check_nrpe.c new/nrpe-4.0.3/src/check_nrpe.c --- old/nrpe-nrpe-3.2.1/src/check_nrpe.c 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/src/check_nrpe.c 2020-04-28 23:10:40.000000000 +0200 @@ -65,8 +65,9 @@ int show_help = FALSE; int show_license = FALSE; int show_version = FALSE; -int packet_ver = NRPE_PACKET_VERSION_3; +int packet_ver = NRPE_DEFAULT_PACKET_VERSION; int force_v2_packet = 0; +int force_v3_packet = 0; int payload_size = 0; extern char *log_file; @@ -87,7 +88,7 @@ /* SSL/TLS parameters */ typedef enum _SSL_VER { SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, - TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus + TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus } SslVer; typedef enum _CLNT_CERTS { Ask_For_Cert = 1, Require_Cert = 2 } ClntCerts; @@ -129,6 +130,8 @@ #endif void alarm_handler(int); int graceful_close(int, int); +int disable_syslog = FALSE; + int main(int argc, char **argv) { @@ -175,7 +178,7 @@ if (result == -1) { /* Failure reading from remote, so try version 2 packet */ - logit(LOG_INFO, "Remote %s does not support Version 3 Packets", rem_host); + logit(LOG_INFO, "Remote %s does not support version 3/4 packets", rem_host); packet_ver = NRPE_PACKET_VERSION_2; /* Rerun the setup */ @@ -198,7 +201,7 @@ } if (result != -1 && force_v2_packet == 0 && packet_ver == NRPE_PACKET_VERSION_2) - logit(LOG_DEBUG, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); + logit(LOG_DEBUG, "Remote %s accepted a version %d packet", rem_host, packet_ver); close_log_file(); /* close the log file */ return result; @@ -224,6 +227,7 @@ {"no-ssl", no_argument, 0, 'n'}, {"unknown-timeout", no_argument, 0, 'u'}, {"v2-packets-only", no_argument, 0, '2'}, + {"v3-packets-only", no_argument, 0, '3'}, {"ipv4", no_argument, 0, '4'}, {"ipv6", no_argument, 0, '6'}, {"use-adh", required_argument, 0, 'd'}, @@ -241,6 +245,7 @@ {"license", no_argument, 0, 'l'}, {"version", no_argument, 0, 'V'}, {"stderr-to-stdout", no_argument, 0, 'E'}, + {"disable-syslog", no_argument, 0, 'D'}, {0, 0, 0, 0} }; #endif @@ -250,7 +255,7 @@ return ERROR; optind = 0; - snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:g:246hlnuVE"); + snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:g:2346hlnuVED"); while (1) { if (argindex > 0) @@ -366,14 +371,21 @@ break; case '2': - if (from_config_file && packet_ver != NRPE_PACKET_VERSION_3) { + if (from_config_file && packet_ver != NRPE_DEFAULT_PACKET_VERSION) { logit(LOG_WARNING, "WARNING: Command-line v2-packets-only (-2) overrides the config file option."); break; } packet_ver = NRPE_PACKET_VERSION_2; force_v2_packet = 1; break; - + case '3': + if (from_config_file && packet_ver != NRPE_DEFAULT_PACKET_VERSION) { + logit(LOG_WARNING, "Warning: Command-line v3-packets-only (-3) overrides the config file option."); + break; + } + packet_ver = NRPE_PACKET_VERSION_3; + force_v3_packet = 1; + break; case '4': if (from_config_file && address_family != AF_UNSPEC) { logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) or ipv6 (-6) overrides the config file option."); @@ -432,7 +444,11 @@ break; } - if (!strcmp(optarg, "TLSv1.2")) + if (!strcmp(optarg, "TLSv1.3")) + sslprm.ssl_proto_ver = TLSv1_3; + else if (!strcmp(optarg, "TLSv1.3+")) + sslprm.ssl_proto_ver = TLSv1_3_plus; + else if (!strcmp(optarg, "TLSv1.2")) sslprm.ssl_proto_ver = TLSv1_2; else if (!strcmp(optarg, "TLSv1.2+")) sslprm.ssl_proto_ver = TLSv1_2_plus; @@ -485,6 +501,11 @@ open_log_file(); break; + case 'D': + disable_syslog = TRUE; + break; + + default: return ERROR; } @@ -526,6 +547,11 @@ return ERROR; } + if (force_v2_packet && force_v3_packet) { + printf("Error: Only one of force_v2_packet (-2) and force_v3_packet (-3) can be specified.\n"); + return ERROR; + } + /* make sure required args were supplied */ if (server_name == NULL && show_help == FALSE && show_version == FALSE && show_license == FALSE) @@ -687,15 +713,16 @@ printf("SSL/TLS Available: OpenSSL 0.9.6 or higher required\n"); printf("\n"); #endif - printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n"); + printf("Usage: check_nrpe -H <host> [-2] [-3] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n"); printf(" [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n"); printf(" [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n"); printf(" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n"); - printf(" [-c <command>] [-E] [-a <arglist...>]\n"); + printf(" [-c <command>] [-E] [-D] [-a <arglist...>]\n"); printf("\n"); printf("Options:\n"); printf(" -H, --host=HOST The address of the host running the NRPE daemon\n"); - printf(" -2, --v2-packets-only Only use version 2 packets, not version 3\n"); + printf(" -2, --v2-packets-only Only use version 2 packets, not version 3/4\n"); + printf(" -3, --v3-packets-only Only use version 3 packets, not version 4\n"); printf(" -4, --ipv4 Bind to ipv4 only\n"); printf(" -6, --ipv6 Bind to ipv6 only\n"); printf(" -n, --no-ssl Do no use SSL\n"); @@ -708,6 +735,7 @@ printf(" (This will be the default in a future release.)\n"); printf(" 1 Allow Anonymous Diffie Hellman (default)\n"); printf(" 2 Force Anonymous Diffie Hellman\n"); + printf(" -D, --disable-syslog Disable logging to syslog facilities\n"); printf(" -P, --payload-size=SIZE Specify non-default payload size for NSClient++\n"); printf(" -S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:\n"); #if OPENSSL_VERSION_NUMBER < 0x10100000 @@ -740,6 +768,7 @@ printf(" -a, --args=LIST Optional arguments that should be passed to the command,\n"); printf(" separated by a space. If provided, this must be the last\n"); printf(" option supplied on the command line.\n"); + printf(" -e Enable syslog debug messages.\n"); printf("\n"); printf(" NEW TIMEOUT SYNTAX\n"); printf(" -t, --timeout=INTERVAL:STATE\n"); @@ -811,6 +840,12 @@ case TLSv1_2_plus: val = "TLSv1_2_plus And Above"; break; + case TLSv1_3: + val = "TLSv1_3"; + break; + case TLSv1_3_plus: + val = "TLSv1_3_plus And Above"; + break; default: val = "INVALID VALUE!"; break; @@ -850,6 +885,10 @@ # ifdef SSL_TXT_TLSV1_2 if (sslprm.ssl_proto_ver == TLSv1_2) meth = TLSv1_2_client_method(); +# ifdef SSL_TXT_TLSV1_3 + if (sslprm.ssl_proto_ver == TLSv1_3) + meth = TLSv1_3_client_method(); +# endif /* ifdef SSL_TXT_TLSV1_3 */ # endif /* ifdef SSL_TXT_TLSV1_2 */ # endif /* ifdef SSL_TXT_TLSV1_1 */ @@ -865,6 +904,15 @@ SSL_CTX_set_max_proto_version(ctx, 0); switch(sslprm.ssl_proto_ver) { + case TLSv1_3: +#if OPENSSL_VERSION_NUMBER >= 0x10101000 + SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); +#endif + case TLSv1_3_plus: +#if OPENSSL_VERSION_NUMBER >= 0x10101000 + SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); + break; +#endif case TLSv1_2: SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); @@ -897,11 +945,14 @@ case SSLv2: case SSLv2_plus: break; + case TLSv1_3: + case TLSv1_3_plus: +#ifdef SSL_OP_NO_TLSv1_2 + ssl_opts |= SSL_OP_NO_TLSv1_2; +#endif case TLSv1_2: case TLSv1_2_plus: -#ifdef SSL_OP_NO_TLSv1_1 ssl_opts |= SSL_OP_NO_TLSv1_1; -#endif case TLSv1_1: case TLSv1_1_plus: ssl_opts |= SSL_OP_NO_TLSv1; @@ -1165,9 +1216,13 @@ } else { - pkt_size = (sizeof(v3_packet) - 1) + strlen(query) + 1; - if (pkt_size < sizeof(v2_packet)) + pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(query) + 1; + if (packet_ver == NRPE_PACKET_VERSION_3) { + pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(query) + 1; + } + if (pkt_size < sizeof(v2_packet)) { pkt_size = sizeof(v2_packet); + } v3_send_packet = calloc(1, pkt_size); send_pkt = (char *)v3_send_packet; @@ -1175,7 +1230,9 @@ v3_send_packet->packet_version = htons(packet_ver); v3_send_packet->packet_type = htons(QUERY_PACKET); v3_send_packet->alignment = 0; - v3_send_packet->buffer_length = htonl(pkt_size - sizeof(v3_packet) + 1); + v3_send_packet->buffer_length = pkt_size - sizeof(v3_packet); + v3_send_packet->buffer_length += (packet_ver == NRPE_PACKET_VERSION_4 ? NRPE_V4_PACKET_SIZE_OFFSET : NRPE_V3_PACKET_SIZE_OFFSET); + v3_send_packet->buffer_length = htonl(v3_send_packet->buffer_length); strcpy(&v3_send_packet->buffer[0], query); /* calculate the crc 32 value of the packet */ @@ -1197,10 +1254,12 @@ } #endif - if (v3_send_packet) + if (v3_send_packet) { free(v3_send_packet); - if (v2_send_packet) + } + if (v2_send_packet) { free(v2_send_packet); + } if (rc == -1) { printf("CHECK_NRPE: Error sending query to host.\n"); @@ -1214,10 +1273,11 @@ int read_response() { v2_packet *v2_receive_packet = NULL; + /* Note: v4 packets will use the v3_packet structure */ v3_packet *v3_receive_packet = NULL; u_int32_t packet_crc32; u_int32_t calculated_crc32; - int32_t pkt_size; + int32_t pkt_size, buffer_size; int rc, result; alarm(0); @@ -1243,32 +1303,50 @@ /* recv() error */ if (rc < 0) { - if (packet_ver == NRPE_PACKET_VERSION_3) { - if (v3_receive_packet) - free(v3_receive_packet); + if (v2_receive_packet) { + free(v2_receive_packet); + } + if (v3_receive_packet) { + free(v3_receive_packet); + } + if (packet_ver >= NRPE_PACKET_VERSION_3) { return -1; } - if (v2_receive_packet) - free(v2_receive_packet); return STATE_UNKNOWN; } else if (rc == 0) { /* server disconnected */ printf("CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.\n"); - if (packet_ver == NRPE_PACKET_VERSION_3) { - if (v3_receive_packet) { - free(v3_receive_packet); - } - } else if (v2_receive_packet) { + if (v3_receive_packet) { + free(v3_receive_packet); + } + if (v2_receive_packet) { free(v2_receive_packet); } return STATE_UNKNOWN; } /* check the crc 32 value */ - if (packet_ver == NRPE_PACKET_VERSION_3) { - pkt_size = (sizeof(v3_packet) - 1) + ntohl(v3_receive_packet->buffer_length); + if (packet_ver >= NRPE_PACKET_VERSION_3) { + + buffer_size = ntohl(v3_receive_packet->buffer_length); + if (buffer_size < 0 || buffer_size > 65536) { + printf("CHECK_NRPE: Response packet had invalid buffer size.\n"); + close(sd); + if (v3_receive_packet) { + free(v3_receive_packet); + } + if (v2_receive_packet) { + free(v2_receive_packet); + } + return STATE_UNKNOWN; + } + + pkt_size = sizeof(v3_packet); + pkt_size -= (packet_ver == NRPE_PACKET_VERSION_3 ? NRPE_V3_PACKET_SIZE_OFFSET : NRPE_V4_PACKET_SIZE_OFFSET); + pkt_size += buffer_size; + packet_crc32 = ntohl(v3_receive_packet->crc32_value); v3_receive_packet->crc32_value = 0L; v3_receive_packet->alignment = 0; @@ -1286,11 +1364,10 @@ if (packet_crc32 != calculated_crc32) { printf("CHECK_NRPE: Response packet had invalid CRC32.\n"); close(sd); - if (packet_ver == NRPE_PACKET_VERSION_3) { - if (v3_receive_packet) { - free(v3_receive_packet); - } - } else if (v2_receive_packet) { + if (v3_receive_packet) { + free(v3_receive_packet); + } + if (v2_receive_packet) { free(v2_receive_packet); } return STATE_UNKNOWN; @@ -1298,7 +1375,7 @@ /* get the return code from the remote plugin */ /* and print the output returned by the daemon */ - if (packet_ver == NRPE_PACKET_VERSION_3) { + if (packet_ver >= NRPE_PACKET_VERSION_3) { result = ntohs(v3_receive_packet->result_code); if (v3_receive_packet->buffer_length == 0) { printf("CHECK_NRPE: No output returned from daemon.\n"); @@ -1322,11 +1399,10 @@ } } - if (packet_ver == NRPE_PACKET_VERSION_3) { - if (v3_receive_packet) { - free(v3_receive_packet); - } - } else if (v2_receive_packet) { + if (v3_receive_packet) { + free(v3_receive_packet); + } + if (v2_receive_packet) { free(v2_receive_packet); } @@ -1348,14 +1424,13 @@ if (rc <= 0 || rc != bytes_to_recv) { if (rc < bytes_to_recv) { - if (packet_ver != NRPE_PACKET_VERSION_3) + if (packet_ver <= NRPE_PACKET_VERSION_3) printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv)); } return -1; } - packet_ver = ntohs(packet.packet_version); - if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) { + if (packet_ver != ntohs(packet.packet_version)) { printf("CHECK_NRPE: Invalid packet version received from server.\n"); return -1; } @@ -1398,6 +1473,10 @@ tot_bytes += rc; buffer_size = ntohl(buffer_size); + if (buffer_size < 0 || buffer_size > 65536) { + logit(LOG_ERR, "Error: Received packet with invalid buffer size"); + return -1; + } pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { logit(LOG_ERR, "Error: Could not allocate memory for packet"); @@ -1413,7 +1492,7 @@ rc = recvall(sock, buff_ptr, &bytes_to_recv, socket_timeout); if (rc <= 0 || rc != buffer_size) { - if (packet_ver == NRPE_PACKET_VERSION_3) { + if (packet_ver >= NRPE_PACKET_VERSION_3) { free(*v3_pkt); *v3_pkt = NULL; } else { @@ -1436,14 +1515,13 @@ if (rc <= 0 || rc != bytes_to_recv) { if (rc < bytes_to_recv) { - if (packet_ver != NRPE_PACKET_VERSION_3) + if (packet_ver < NRPE_PACKET_VERSION_3 || packet_ver > NRPE_PACKET_VERSION_4) printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv)); } return -1; } - packet_ver = ntohs(packet.packet_version); - if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) { + if (packet_ver != ntohs(packet.packet_version)) { printf("CHECK_NRPE: Invalid packet version received from server.\n"); return -1; } @@ -1491,6 +1569,10 @@ tot_bytes += rc; buffer_size = ntohl(buffer_size); + if (buffer_size < 0 || buffer_size > 65536) { + logit(LOG_ERR, "Error: Received packet with invalid buffer size"); + return -1; + } pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { logit(LOG_ERR, "Error: Could not allocate memory for packet"); @@ -1512,12 +1594,11 @@ break; bytes_read += rc; bytes_to_recv -= rc; + tot_bytes += rc; } - buff_ptr[bytes_read] = 0; - if (rc < 0 || bytes_read != buffer_size) { - if (packet_ver == NRPE_PACKET_VERSION_3) { + if (packet_ver >= NRPE_PACKET_VERSION_3) { free(*v3_pkt); *v3_pkt = NULL; } else { @@ -1525,15 +1606,14 @@ *v2_pkt = NULL; } if (bytes_read != buffer_size) { - if (packet_ver == NRPE_PACKET_VERSION_3) { + if (packet_ver >= NRPE_PACKET_VERSION_3) { printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size)); } else { printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size)); } } return -1; - } else - tot_bytes += rc; + } } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/src/nrpe.c new/nrpe-4.0.3/src/nrpe.c --- old/nrpe-nrpe-3.2.1/src/nrpe.c 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/src/nrpe.c 2020-04-28 23:10:40.000000000 +0200 @@ -124,7 +124,7 @@ /* SSL/TLS parameters */ typedef enum _SSL_VER { SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1, - TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus + TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus } SslVer; typedef enum _CLNT_CERTS { @@ -148,11 +148,11 @@ SslLogging log_opts; } sslprm = { #if OPENSSL_VERSION_NUMBER >= 0x10100000 -NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging}; +NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging #else -NULL, NULL, NULL, "ALL:!MD5:@STRENGTH", TLSv1_plus, TRUE, 0, SSL_NoLogging}; +NULL, NULL, NULL, "ALL:!MD5:@STRENGTH", TLSv1_plus, TRUE, 0, SSL_NoLogging #endif - +}; #ifdef HAVE_SSL static int verify_callback(int ok, X509_STORE_CTX * ctx); @@ -160,6 +160,8 @@ static void complete_SSL_shutdown(SSL *); #endif +int disable_syslog = FALSE; + int main(int argc, char **argv) { int result = OK; @@ -329,6 +331,10 @@ # ifdef SSL_TXT_TLSV1_2 if (sslprm.ssl_proto_ver == TLSv1_2) meth = TLSv1_2_server_method(); +# ifdef SSL_TXT_TLSV1_3 + if (sslprm.ssl_proto_ver == TLSv1_3) + meth = TLSv1_3_server_method(); +# endif /* ifdef SSL_TXT_TLSV1_3 */ # endif /* ifdef SSL_TXT_TLSV1_2 */ # endif /* SSL_TXT_TLSV1_1 */ @@ -349,6 +355,15 @@ SSL_CTX_set_max_proto_version(ctx, 0); switch(sslprm.ssl_proto_ver) { + case TLSv1_3: +#if OPENSSL_VERSION_NUMBER >= 0x10101000 + SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); +#endif + case TLSv1_3_plus: +#if OPENSSL_VERSION_NUMBER >= 0x10101000 + SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); + break; +#endif case TLSv1_2: SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); @@ -381,11 +396,14 @@ case SSLv2: case SSLv2_plus: break; + case TLSv1_3: + case TLSv1_3_plus: +#ifdef SSL_OP_NO_TLSv1_2 + ssl_opts |= SSL_OP_NO_TLSv1_2; +#endif case TLSv1_2: case TLSv1_2_plus: -#ifdef SSL_OP_NO_TLSv1_1 ssl_opts |= SSL_OP_NO_TLSv1_1; -#endif case TLSv1_1: case TLSv1_1_plus: ssl_opts |= SSL_OP_NO_TLSv1; @@ -517,6 +535,12 @@ case TLSv1_2_plus: vers = "TLSv1_2 And Above"; break; + case TLSv1_3: + vers = "TLSv1_3"; + break; + case TLSv1_3_plus: + vers = "TLSv1_3 And Above"; + break; default: vers = "INVALID VALUE!"; break; @@ -745,6 +769,64 @@ } #endif +/* + * Given a string, convert any byte pairs representing an escape sequence (e.g. "\\r" into + * the single-byte metacharacter (e.g. '\r') + * Currently, this doesn't support octal/hex numbers or unicode code points (\n, \x, \u, \U) + */ +char* process_metachars(const char* input) +{ + char* copy = strdup(input); + int i,j; + int length = strlen(input); + for (i = 0, j = 0; i < length, j < length; i++, j++) { + if (copy[j] != '\\') { + copy[i] = copy[j]; + continue; + } + + j += 1; + switch (copy[j]) { + case 'a': + copy[i] = '\a'; + break; + case 'b': + copy[i] = '\b'; + break; + case 'f': + copy[i] = '\f'; + break; + case 'n': + copy[i] = '\n'; + break; + case 'r': + copy[i] = '\r'; + break; + case 't': + copy[i] = '\t'; + break; + case 'v': + copy[i] = '\v'; + break; + case '\\': + copy[i] = '\\'; + break; + case '\'': + copy[i] = '\''; + break; + case '"': + copy[i] = '\"'; + break; + case '?': + copy[i] = '\?'; + break; + } + } + copy[i] = '\0'; + + return copy; +} + /* read in the configuration file */ int read_config_file(char *filename) { @@ -881,6 +963,9 @@ else if (!strcmp(varname, "dont_blame_nrpe")) allow_arguments = (atoi(varvalue) == 1) ? TRUE : FALSE; + else if (!strcmp(varname, "disable_syslog")) + disable_syslog = (atoi(varvalue) == 1) ? TRUE : FALSE; + else if (!strcmp(varname, "allow_bash_command_substitution")) allow_bash_cmd_subst = (atoi(varvalue) == 1) ? TRUE : FALSE; @@ -926,7 +1011,11 @@ } } else if (!strcmp(varname, "ssl_version")) { - if (!strcmp(varvalue, "TLSv1.2")) + if (!strcmp(varvalue, "TLSv1.3")) + sslprm.ssl_proto_ver = TLSv1_3; + else if (!strcmp(varvalue, "TLSv1.3+")) + sslprm.ssl_proto_ver = TLSv1_3_plus; + else if (!strcmp(varvalue, "TLSv1.2")) sslprm.ssl_proto_ver = TLSv1_2; else if (!strcmp(varvalue, "TLSv1.2+")) sslprm.ssl_proto_ver = TLSv1_2_plus; @@ -1005,7 +1094,7 @@ keep_env_vars = strdup(varvalue); else if (!strcmp(varname, "nasty_metachars")) - nasty_metachars = strdup(varvalue); + nasty_metachars = process_metachars(varvalue); else if (!strcmp(varname, "log_file")) { log_file = strdup(varvalue); @@ -1074,11 +1163,7 @@ continue; /* process the config file */ - result = read_config_file(config_file); - - /* break out if we encountered an error */ - if (result == ERROR) - break; + result |= read_config_file(config_file); } /* recurse into subdirectories... */ @@ -1089,12 +1174,7 @@ continue; /* process the config directory */ - result = read_config_dir(config_file); - - /* break out if we encountered an error */ - if (result == ERROR) - break; - + result |= read_config_dir(config_file); } } @@ -1834,7 +1914,10 @@ } else { - pkt_size = (sizeof(v3_packet) - 1) + strlen(send_buff); + pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(send_buff) + 1; + if (packet_ver == NRPE_PACKET_VERSION_3) { + pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(send_buff) + 1; + } v3_send_packet = calloc(1, pkt_size); send_pkt = (char *)v3_send_packet; /* initialize response packet data */ @@ -1842,7 +1925,7 @@ v3_send_packet->packet_type = htons(RESPONSE_PACKET); v3_send_packet->result_code = htons(result); v3_send_packet->alignment = 0; - v3_send_packet->buffer_length = htonl(strlen(send_buff)); + v3_send_packet->buffer_length = htonl(strlen(send_buff) + 1); strcpy(&v3_send_packet->buffer[0], send_buff); /* calculate the crc 32 value of the packet */ @@ -1914,13 +1997,31 @@ char buffer[MAX_INPUT_BUFFER]; SSL *ssl = (SSL*)ssl_ptr; X509 *peer; - int rc, x; + int rc, x, sockfd, retval; + fd_set rfds; + struct timeval timeout; SSL_set_fd(ssl, sock); + sockfd = SSL_get_fd(ssl); + + FD_ZERO(&rfds); + FD_SET(sockfd, &rfds); + + timeout.tv_sec = connection_timeout; + timeout.tv_usec = 0; + /* keep attempting the request if needed */ - while (((rc = SSL_accept(ssl)) != 1) - && (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ)); + do { + retval = select(sockfd + 1, &rfds, NULL, NULL, &timeout); + + if (retval > 0) { + rc = SSL_accept(ssl); + } else { + logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: timeout %d seconds", remote_host, connection_timeout); + return ERROR; + } + } while (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ); if (rc != 1) { /* oops, got an unrecoverable error -- get out */ @@ -2010,7 +2111,7 @@ return -1; packet_ver = ntohs(v2_pkt->packet_version); - if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) { + if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_4) { logit(LOG_ERR, "Error: (use_ssl == false): Request packet version was invalid!"); return -1; } @@ -2037,6 +2138,10 @@ tot_bytes += rc; buffer_size = ntohl(buffer_size); + if (buffer_size < 0 || buffer_size > 65536) { + logit(LOG_ERR, "Error: (use_ssl == false): Received packet with invalid buffer size"); + return -1; + } pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { logit(LOG_ERR, "Error: (use_ssl == false): Could not allocate memory for packet"); @@ -2063,16 +2168,34 @@ #ifdef HAVE_SSL else { SSL *ssl = (SSL *) ssl_ptr; + int sockfd, retval; + fd_set rfds; + struct timeval timeout; - while (((rc = SSL_read(ssl, v2_pkt, bytes_to_recv)) <= 0) - && (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ)) { - } + sockfd = SSL_get_fd(ssl); + + FD_ZERO(&rfds); + FD_SET(sockfd, &rfds); + + timeout.tv_sec = connection_timeout; + timeout.tv_usec = 0; + + do { + retval = select(sockfd + 1, &rfds, NULL, NULL, &timeout); + + if (retval > 0) { + rc = SSL_read(ssl, v2_pkt, bytes_to_recv); + } else { + logit(LOG_ERR, "Error (!log_opts): Could not complete SSL_read with %s: timeout %d seconds", remote_host, connection_timeout); + return -1; + } + } while (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ); if (rc <= 0 || rc != bytes_to_recv) return -1; packet_ver = ntohs(v2_pkt->packet_version); - if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) { + if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_4) { logit(LOG_ERR, "Error: (use_ssl == true): Request packet version was invalid!"); return -1; } @@ -2081,7 +2204,13 @@ buffer_size = sizeof(v2_packet) - common_size; buff_ptr = (char *)v2_pkt + common_size; } else { - int32_t pkt_size = sizeof(v3_packet) - 1; + int32_t pkt_size = sizeof(v3_packet); + if (packet_ver == NRPE_PACKET_VERSION_3) { + pkt_size -= NRPE_V3_PACKET_SIZE_OFFSET; + } + else if (packet_ver == NRPE_PACKET_VERSION_4) { + pkt_size -= NRPE_V4_PACKET_SIZE_OFFSET; + } /* Read the alignment filler */ bytes_to_recv = sizeof(int16_t); @@ -2104,6 +2233,10 @@ tot_bytes += rc; buffer_size = ntohl(buffer_size); + if (buffer_size < 0 || buffer_size > 65536) { + logit(LOG_ERR, "Error: (use_ssl == true): Received packet with invalid buffer size"); + return -1; + } pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { logit(LOG_ERR, "Error: (use_ssl == true): Could not allocate memory for packet"); @@ -2606,6 +2739,7 @@ { u_int32_t packet_crc32; u_int32_t calculated_crc32; + int32_t pkt_size, buffer_size; char *buff, *ptr; int rc; #ifdef ENABLE_COMMAND_ARGUMENTS @@ -2613,8 +2747,14 @@ #endif /* check the crc 32 value */ - if (packet_ver == NRPE_PACKET_VERSION_3) { - int32_t pkt_size = (sizeof(v3_packet) - 1) + ntohl(v3pkt->buffer_length); + if (packet_ver >= NRPE_PACKET_VERSION_3) { + + buffer_size = ntohl(v3pkt->buffer_length); + + pkt_size = sizeof(v3_packet); + pkt_size -= (packet_ver == NRPE_PACKET_VERSION_3 ? NRPE_V3_PACKET_SIZE_OFFSET : NRPE_V4_PACKET_SIZE_OFFSET); + pkt_size += buffer_size; + packet_crc32 = ntohl(v3pkt->crc32_value); v3pkt->crc32_value = 0L; v3pkt->alignment = 0; @@ -2637,7 +2777,7 @@ } /* make sure buffer is terminated */ - if (packet_ver == NRPE_PACKET_VERSION_3) { + if (packet_ver >= NRPE_PACKET_VERSION_3) { int32_t l = ntohs(v3pkt->buffer_length); v3pkt->buffer[l - 1] = '\x0'; buff = v3pkt->buffer; @@ -2653,7 +2793,7 @@ } /* make sure request doesn't contain nasties */ - if (packet_ver == NRPE_PACKET_VERSION_3) + if (packet_ver >= NRPE_PACKET_VERSION_3) rc = contains_nasty_metachars(v3pkt->buffer); else rc = contains_nasty_metachars(v2pkt->buffer); @@ -2663,7 +2803,7 @@ } /* make sure the request doesn't contain arguments */ - if (strchr(v2pkt->buffer, '!')) { + if (strchr(buff, '!')) { #ifdef ENABLE_COMMAND_ARGUMENTS if (allow_arguments == FALSE) { logit(LOG_ERR, "Error: Request contained command arguments, but argument option is not enabled!"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/src/utils.c new/nrpe-4.0.3/src/utils.c --- old/nrpe-nrpe-3.2.1/src/utils.c 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/src/utils.c 2020-04-28 23:10:40.000000000 +0200 @@ -537,7 +537,6 @@ if (!format || !*format) return; - va_start(ap, format); if(vasprintf(&buffer, format, ap) > 0) { if (log_fp) { @@ -549,8 +548,9 @@ fprintf(log_fp, "[%llu] %s\n", (unsigned long long)log_time, buffer); fflush(log_fp); - } else + } else if (!disable_syslog) { syslog(priority, "%s", buffer); + } free(buffer); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/startup/default-xinetd.in new/nrpe-4.0.3/startup/default-xinetd.in --- old/nrpe-nrpe-3.2.1/startup/default-xinetd.in 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/startup/default-xinetd.in 2020-04-28 23:10:40.000000000 +0200 @@ -10,6 +10,6 @@ group = @nrpe_group@ server = @sbindir@/nrpe server_args = -c @pkgsysconfdir@/nrpe.cfg --inetd - only_from = 127.0.0.1 + only_from = 127.0.0.1 ::1 log_on_success = } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/startup/openrc-init.in new/nrpe-4.0.3/startup/openrc-init.in --- old/nrpe-nrpe-3.2.1/startup/openrc-init.in 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/startup/openrc-init.in 2020-04-28 23:10:40.000000000 +0200 @@ -3,15 +3,19 @@ # Copyright (c) 2017 Nagios(R) Core(TM) Development Team # +# Supply a default value for NRPE_CFG in case the corresponding +# conf.d file is not installed. +: ${NRPE_CFG:="@sysconfdir@/nrpe.cfg"} + command="@sbindir@/nrpe" command_args="--config=${NRPE_CFG} ${NRPE_OPTS}" command_args_background="--daemon" description="Nagios Remote Plugin Executor (NRPE) daemon" extra_started_commands="reload" -pidfile="@piddir@/nrpe.pid" +pidfile="@piddir@/${RC_SVCNAME}.pid" reload() { - ebegin "Reloading ${SVCNAME}" + ebegin "Reloading ${RC_SVCNAME}" start-stop-daemon --signal HUP --pidfile "${pidfile}" eend $? } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nrpe-nrpe-3.2.1/update-version new/nrpe-4.0.3/update-version --- old/nrpe-nrpe-3.2.1/update-version 2017-09-01 15:59:54.000000000 +0200 +++ new/nrpe-4.0.3/update-version 2020-04-28 23:10:40.000000000 +0200 @@ -28,10 +28,10 @@ fi # Current version number -CURRENTVERSION=3.2.1 +CURRENTVERSION=4.0.3 # Last date -LASTDATE=2017-09-01 +LASTDATE=2020-04-28 if [ "x$1" = "x" ] then ++++++ nrpe-dh.h ++++++ #ifndef HEADER_DH_H # include <openssl/dh.h> #endif DH *get_dh2048() { static unsigned char dhp_2048[] = { 0xED, 0x49, 0xA6, 0x2E, 0xB7, 0x99, 0xA6, 0x48, 0x89, 0x13, 0xA0, 0xC9, 0xB2, 0xF5, 0x43, 0xB3, 0xD5, 0x03, 0x53, 0x42, 0x83, 0xB5, 0xC0, 0x14, 0x92, 0x8A, 0x3A, 0xC2, 0x51, 0xC8, 0x7C, 0xE9, 0xA2, 0x5E, 0x90, 0x6F, 0x5C, 0xB6, 0xA7, 0xC6, 0x4B, 0x6D, 0x61, 0x84, 0x03, 0xC8, 0x13, 0x22, 0xBA, 0x77, 0x55, 0x7C, 0x49, 0x90, 0xED, 0xE9, 0x3E, 0x2D, 0xF1, 0x3C, 0xC8, 0xEF, 0x2E, 0x86, 0x33, 0x63, 0x7D, 0x2D, 0x3E, 0x9A, 0xED, 0xDE, 0x99, 0x54, 0x08, 0xDC, 0x1B, 0xBC, 0xD9, 0x76, 0x42, 0xCE, 0x13, 0x5A, 0xA7, 0x7C, 0xFE, 0xFE, 0x8C, 0xD1, 0xDF, 0xF8, 0xB5, 0x16, 0xBF, 0x69, 0x60, 0xDA, 0xA3, 0xFC, 0xC0, 0x4C, 0xF2, 0xD1, 0x72, 0x5B, 0x50, 0x4E, 0x2C, 0x38, 0x0E, 0xC6, 0x24, 0xBF, 0x6A, 0x6D, 0x76, 0x17, 0x76, 0x15, 0x2A, 0x84, 0x4A, 0xF0, 0xBD, 0x2D, 0xBF, 0x57, 0xB9, 0xB2, 0x90, 0x35, 0x82, 0x2D, 0x5E, 0x48, 0x72, 0x1F, 0x69, 0xD7, 0x5C, 0x62, 0x1F, 0xA3, 0xA7, 0x9B, 0x8C, 0x1D, 0xF3, 0xFA, 0xF3, 0x49, 0x1E, 0x86, 0x17, 0x29, 0x9D, 0x60, 0xE7, 0xCF, 0xC8, 0x9F, 0x3F, 0x51, 0xA2, 0xF6, 0xDD, 0xDF, 0xE1, 0xB3, 0xF2, 0x79, 0x0F, 0x59, 0x52, 0x19, 0xCB, 0x70, 0xE8, 0x2C, 0xA7, 0xF9, 0x92, 0xBB, 0x6A, 0x27, 0x24, 0x34, 0x80, 0x8E, 0x4E, 0x03, 0x2B, 0xD8, 0x5C, 0xF3, 0xCE, 0x64, 0xF7, 0xFE, 0x64, 0xBC, 0x87, 0x17, 0xE7, 0x52, 0x44, 0xDE, 0x3C, 0x5F, 0xA4, 0x96, 0xB7, 0x6A, 0x91, 0x46, 0x3F, 0x03, 0x76, 0xB6, 0x0A, 0x8C, 0x68, 0x99, 0x60, 0x6B, 0x7E, 0xFB, 0x7A, 0x60, 0xF1, 0xB7, 0x39, 0xFF, 0xF5, 0xF2, 0xA3, 0xD2, 0x5A, 0x10, 0x8A, 0x1B, 0x94, 0x68, 0x01, 0x6B, 0xB5, 0xF8, 0x86, 0xA7, 0x9B, 0x5B, 0x95, 0x90, 0xC2, 0x33 }; static unsigned char dhg_2048[] = { 0x02 }; DH *dh = DH_new(); BIGNUM *dhp_bn, *dhg_bn; if (dh == NULL) return NULL; dhp_bn = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL); dhg_bn = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL); if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { DH_free(dh); BN_free(dhp_bn); BN_free(dhg_bn); return NULL; } return dh; } ++++++ nrpe-disable-chkconfig_in_Makefile.patch ++++++ Index: nrpe-4.0.3/Makefile.in =================================================================== --- nrpe-4.0.3.orig/Makefile.in +++ nrpe-4.0.3/Makefile.in @@ -128,13 +128,7 @@ install-init: elif test $(INIT_TYPE) = launchd; then\ launchctl load $(INIT_DIR)/$(INIT_FILE); \ else\ - if test -f /sbin/chkconfig ; then \ - case "$(DESTDIR)" in */rpmbuild/*) break;; \ - *)/sbin/chkconfig nrpe on;; \ - esac; \ - else\ - echo "Make sure to enable the nrpe daemon";\ - fi;\ + echo "Make sure to enable the nrpe daemon";\ fi;\ fi ++++++ nrpe-implicit_declaration.patch ++++++ --- /var/tmp/diff_new_pack.t9CzQu/_old 2021-01-29 14:57:50.713575435 +0100 +++ /var/tmp/diff_new_pack.t9CzQu/_new 2021-01-29 14:57:50.713575435 +0100 @@ -1,7 +1,7 @@ -Index: nrpe-nrpe-3.2.1/contrib/nrpe_check_control.c +Index: nrpe-4.0.3/contrib/nrpe_check_control.c =================================================================== ---- nrpe-nrpe-3.2.1.orig/contrib/nrpe_check_control.c -+++ nrpe-nrpe-3.2.1/contrib/nrpe_check_control.c +--- nrpe-4.0.3.orig/contrib/nrpe_check_control.c ++++ nrpe-4.0.3/contrib/nrpe_check_control.c @@ -1,4 +1,5 @@ #include <stdio.h> +#include <stdlib.h> ++++++ nrpe-improved_help.patch ++++++ --- /var/tmp/diff_new_pack.t9CzQu/_old 2021-01-29 14:57:50.721575447 +0100 +++ /var/tmp/diff_new_pack.t9CzQu/_new 2021-01-29 14:57:50.721575447 +0100 @@ -1,23 +1,25 @@ -diff -urN nrpe-nrpe-3.2.1.orig/src/check_nrpe.c nrpe-nrpe-3.2.1/src/check_nrpe.c ---- nrpe-nrpe-3.2.1.orig/src/check_nrpe.c 2017-09-01 15:59:54.000000000 +0200 -+++ nrpe-nrpe-3.2.1/src/check_nrpe.c 2017-12-05 11:49:35.220046000 +0100 -@@ -740,6 +740,7 @@ - printf(" -a, --args=LIST Optional arguments that should be passed to the command,\n"); +Index: nrpe-4.0.3/src/check_nrpe.c +=================================================================== +--- nrpe-4.0.3.orig/src/check_nrpe.c ++++ nrpe-4.0.3/src/check_nrpe.c +@@ -769,6 +769,7 @@ void usage(int result) printf(" separated by a space. If provided, this must be the last\n"); printf(" option supplied on the command line.\n"); -+ printf(" -h, --help = Print this short help.\n"); + printf(" -e Enable syslog debug messages.\n"); ++ printf(" -h, --help Print this short help.\n"); printf("\n"); printf(" NEW TIMEOUT SYNTAX\n"); printf(" -t, --timeout=INTERVAL:STATE\n"); -diff -urN nrpe-nrpe-3.2.1.orig/src/nrpe.c nrpe-nrpe-3.2.1/src/nrpe.c ---- nrpe-nrpe-3.2.1.orig/src/nrpe.c 2017-09-01 15:59:54.000000000 +0200 -+++ nrpe-nrpe-3.2.1/src/nrpe.c 2017-12-05 11:48:42.508215000 +0100 -@@ -570,6 +570,8 @@ +Index: nrpe-4.0.3/src/nrpe.c +=================================================================== +--- nrpe-4.0.3.orig/src/nrpe.c ++++ nrpe-4.0.3/src/nrpe.c +@@ -594,6 +594,8 @@ void usage(int result) printf("Options:\n"); printf(" -V, --version Print version info and quit\n"); printf(" -n, --no-ssl Do not use SSL\n"); -+ printf(" -h, --help = Print this short help.\n"); -+ printf(" -l,--license = Print licensing information.\n"); ++ printf(" -h, --help Print this short help.\n"); ++ printf(" -l,--license Print licensing information.\n"); printf(" -c, --config=FILE Name of config file to use\n"); printf(" -4, --ipv4 Use ipv4 only\n"); printf(" -6, --ipv6 Use ipv6 only\n"); ++++++ nrpe-static_dh_parameters.patch ++++++ Index: nrpe-4.0.3/macros/ax_nagios_get_ssl =================================================================== --- nrpe-4.0.3.orig/macros/ax_nagios_get_ssl +++ nrpe-4.0.3/macros/ax_nagios_get_ssl @@ -292,10 +292,15 @@ if test x$SSL_TYPE != xNONE; then AC_DEFINE(USE_SSL_DH) # Generate DH parameters if test -f "$sslbin"; then - echo "" - echo "*** Generating DH Parameters for SSL/TLS ***" - # awk to strip off meta data at bottom of dhparam output - $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + if test -f include/dh.h ; then + echo "" + echo "*** Skipping generation of DH Parameters for SSL/TLS: include/dh.h already exists ***" + else + echo "" + echo "*** Generating DH Parameters for SSL/TLS ***" + # awk to strip off meta data at bottom of dhparam output + $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + fi fi fi fi Index: nrpe-4.0.3/configure =================================================================== --- nrpe-4.0.3.orig/configure +++ nrpe-4.0.3/configure @@ -7722,10 +7722,15 @@ fi # Generate DH parameters if test -f "$sslbin"; then - echo "" - echo "*** Generating DH Parameters for SSL/TLS ***" - # awk to strip off meta data at bottom of dhparam output - $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + if test -f include/dh.h ; then + echo "" + echo "*** Skipping generation of DH Parameters for SSL/TLS: include/dh.h already exists ***" + else + echo "" + echo "*** Generating DH Parameters for SSL/TLS ***" + # awk to strip off meta data at bottom of dhparam output + $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + fi fi fi fi ++++++ nrpe_check_control.patch ++++++ --- /var/tmp/diff_new_pack.t9CzQu/_old 2021-01-29 14:57:50.777575529 +0100 +++ /var/tmp/diff_new_pack.t9CzQu/_new 2021-01-29 14:57:50.777575529 +0100 @@ -1,7 +1,7 @@ -Index: nrpe-3.1.1/contrib/nrpe_check_control.c +Index: nrpe-4.0.3/contrib/nrpe_check_control.c =================================================================== ---- nrpe-3.1.1.orig/contrib/nrpe_check_control.c -+++ nrpe-3.1.1/contrib/nrpe_check_control.c +--- nrpe-4.0.3.orig/contrib/nrpe_check_control.c ++++ nrpe-4.0.3/contrib/nrpe_check_control.c @@ -5,8 +5,8 @@ #define MAX_CHARS 1024 #define SERVICE_COUNT 12 ++++++ usr.sbin.nrpe ++++++ --- /var/tmp/diff_new_pack.t9CzQu/_old 2021-01-29 14:57:50.793575553 +0100 +++ /var/tmp/diff_new_pack.t9CzQu/_new 2021-01-29 14:57:50.793575553 +0100 @@ -37,4 +37,7 @@ /proc/sys/crypto/fips_enabled r, /etc/hosts.allow r, /etc/hosts.deny r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.nrpe> }
