Bug#867567: stretch-pu: package nagios-nrpe/3.0.1-3+deb9u1

Bas Couwenberg Fri, 07 Jul 2017 06:09:36 -0700

Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu


To fix the incompatibility between NRPE 2.x and 3.x releases when SSL
support is enabled, I'd like to propose the following update.

There was a bug in the patch for reproducible builds which disabled the
DH support causing SSL support without certificates configured not to
work.

This issue is discussed in the following upstream issue:

 https://github.com/NagiosEnterprises/nrpe/issues/113

Thanks to Johan Carlquist for reporting the fix.

Because previous versions of NRPE in Debian and the package as built by
other distributions uses SSL by default, the SSL support has been
enabled by default in the Debian package again too.

With these proposed changes users upgrading from jessie to stretch don't
have to reconfigure their monitoring environment to disable SSL.

Users that have already reconfigured their monitoring environment to
disable SSL for NRPE can either leave it as-is, or re-enable the SSL
support for NRPE too.

Kind Regards,

Bas

diff -Nru nagios-nrpe-3.0.1/debian/changelog nagios-nrpe-3.0.1/debian/changelog
--- nagios-nrpe-3.0.1/debian/changelog  2016-12-24 10:24:09.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/changelog  2017-07-07 14:15:25.000000000 +0200
@@ -1,3 +1,13 @@
+nagios-nrpe (3.0.1-3+deb9u1) stretch; urgency=medium
+
+  * Update branch in gbp.conf & Vcs-Git URL.
+  * Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined.
+    Thanks to Johan Carlquist for pointing out this issue.
+  * Re-enable SSL support by default.
+    Compatibility with older versions has been fixed.
+
+ -- Bas Couwenberg <[email protected]>  Fri, 07 Jul 2017 14:15:25 +0200
+
 nagios-nrpe (3.0.1-3) unstable; urgency=medium
 
   * Add reload command to systemd service file.
diff -Nru nagios-nrpe-3.0.1/debian/check_nrpe.cfg 
nagios-nrpe-3.0.1/debian/check_nrpe.cfg
--- nagios-nrpe-3.0.1/debian/check_nrpe.cfg     2016-12-23 23:23:21.000000000 
+0100
+++ nagios-nrpe-3.0.1/debian/check_nrpe.cfg     2017-07-07 14:13:19.000000000 
+0200
@@ -1,11 +1,11 @@
-# this command runs a program $ARG1$ with no arguments and disables SSL support
+# this command runs a program $ARG1$ with no arguments and enables SSL support
 define command {
        command_name    check_nrpe
-       command_line    /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c 
$ARG1$ -n
+       command_line    /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c 
$ARG1$
 }
 
-# this command runs a program $ARG1$ with no arguments and enables SSL support
+# this command runs a program $ARG1$ with no arguments and disables SSL support
 define command {
-       command_name    check_nrpe_ssl
-       command_line    /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c 
$ARG1$
+       command_name    check_nrpe_nossl
+       command_line    /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c 
$ARG1$ -n
 }
diff -Nru nagios-nrpe-3.0.1/debian/control nagios-nrpe-3.0.1/debian/control
--- nagios-nrpe-3.0.1/debian/control    2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/control    2017-07-07 14:13:11.000000000 +0200
@@ -11,7 +11,7 @@
                openssl
 Standards-Version: 3.9.8
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git
-Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git -b stretch
 Homepage: https://github.com/NagiosEnterprises/nrpe
 
 Package: nagios-nrpe-server
diff -Nru nagios-nrpe-3.0.1/debian/gbp.conf nagios-nrpe-3.0.1/debian/gbp.conf
--- nagios-nrpe-3.0.1/debian/gbp.conf   2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/gbp.conf   2017-07-07 14:13:11.000000000 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default 
nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default
--- nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default 2016-12-23 
23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/nagios-nrpe-server.default 2017-07-07 
14:13:19.000000000 +0200
@@ -5,9 +5,7 @@
 # nrpe daemon.
 #
 # The -n option disables SSL support.
-# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg!
-# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.
-NRPE_OPTS="-n"
+#NRPE_OPTS="-n"
 
 # NICENESS is if you want to run the server at a different nice() priority.
 # (only used by the init script)
diff -Nru nagios-nrpe-3.0.1/debian/NEWS nagios-nrpe-3.0.1/debian/NEWS
--- nagios-nrpe-3.0.1/debian/NEWS       2016-12-23 23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/NEWS       2017-07-07 14:15:00.000000000 +0200
@@ -1,3 +1,28 @@
+nagios-nrpe (3.0.1-3+deb9u1) stretch; urgency=medium
+
+  The bug that caused the SSL support between NRPE 2.x and 3.x not
+  to work has been fixed.
+
+  Because the default SSL support without certificates configured
+  in nrpe.cfg uses pre-generated key data, configuring SSL
+  certificates is strongly advised when STunnel is not used.
+
+  The ssl-cert package can be used to generate a self-signed
+  certificate, but CA certificates like those from Let's Encrypt
+  are a better choice.
+
+  SSL support has been re-enabled by default, to be better compatible
+  with previous NRPE versions where SSL support was enabled by default
+  too.
+
+  The check_nrpe command definition has been updated to enable SSL
+  support (by removing the -n option) and the check_nrpe_ssl command
+  definition has been removed. The previous check_nrpe command
+  definition which disables SSL support is available with the new
+  check_nrpe_nossl command definition.
+
+ -- Bas Couwenberg <[email protected]>  Fri, 07 Jul 2017 13:48:38 +0200
+
 nagios-nrpe (3.0.1-1) unstable; urgency=medium
 
   The check_nrpe command definition has been updated to remove the
diff -Nru nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch 
nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch
--- nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch 2016-12-23 
23:23:21.000000000 +0100
+++ nagios-nrpe-3.0.1/debian/patches/11_reproducible_dh.h.patch 2017-07-07 
14:13:11.000000000 +0200
@@ -47,14 +47,21 @@
 +              { DH_free(dh); return(NULL); }
 +      return(dh);
 +      }
---- a/configure.ac
-+++ b/configure.ac
-@@ -307,7 +307,7 @@ AC_ARG_ENABLE([ssl],
- dnl Optional SSL library and include paths
- if test x$check_for_ssl = xyes; then
-       # need_dh should only be set for NRPE
--      need_dh=yes
-+      need_dh=no
-       AC_NAGIOS_GET_SSL
- fi
+--- a/macros/ax_nagios_get_ssl
++++ b/macros/ax_nagios_get_ssl
+@@ -287,15 +287,7 @@ if test x$SSL_TYPE != xNONE; then
+               # Find the openssl program
  
+               if test x$need_dh = xyes; then
+-                      
AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
+                       AC_DEFINE(USE_SSL_DH)
+-                      # Generate DH parameters
+-                      if test -f "$sslbin"; then
+-                              echo ""
+-                              echo "*** Generating DH Parameters for SSL/TLS 
***"
+-                              # awk to strip off meta data at bottom of 
dhparam output
+-                              $sslbin dhparam -C 2048 | awk '/^-----/ {exit} 
{print}' > include/dh.h
+-                      fi
+               fi
+       fi
+ fi

Bug#867567: stretch-pu: package nagios-nrpe/3.0.1-3+deb9u1

Reply via email to