Bug#756479: [Pkg-nagios-devel] Bug#756479: Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
On Mon, 07 Nov 2016, Thorsten Eggert wrote: > Hi Alex, > I would call my self an experienced programmer, I also ran into trouble with > this and debugged more time than it's worth... You should not in any kind use this security flawed feature, however: > How can I get the maintainer of this package? https://www.debian.org/doc/manuals/debian-faq/ch-contributing.en.html and ask for membership of pkg-nagios on alioth. Alex
Bug#756479: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
Hi Alex, I would call my self an experienced programmer, I also ran into trouble with this and debugged more time than it's worth... How can I get the maintainer of this package? greetings Thorsten
Bug#756479: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
I too am experiencing big problems with this change. It blocked all my debian 8 upgrade. It doesn't make sense to remove a feature because it can be used the wrong way -- Diego Roccia diego.roccia (at) gmail (dot) com
Bug#756479: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
On Tue, 10 May 2016, Falk Brockerhoff wrote: > Alex, > > I understand that you aren’t happy as the maintainer of this package. > Unfortunately I don’t have any coding skills, so that I’m not able to support > you. Sorry for this. > > But I’m a user of this package and really do need the „dont_blame_nrpe“. Why > can’t you just put it back in? It was you, who disabled this configuration > option. I do not ask you to correct another man’s mistake. it wasn't a mistake. It was on purpose, the right decision and decided together with the security team. Alex
Bug#756479: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
Alex, I understand that you aren’t happy as the maintainer of this package. Unfortunately I don’t have any coding skills, so that I’m not able to support you. Sorry for this. But I’m a user of this package and really do need the „dont_blame_nrpe“. Why can’t you just put it back in? It was you, who disabled this configuration option. I do not ask you to correct another man’s mistake. Regards, Falk
Bug#756479: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
On Sat, 23 Apr 2016, Jan Tomasek wrote: > Hi, > > I'm another one who spend some time examining why after upgrade is nrpe > not working. > > I've read whole thread about this Bug#756479 and can't find any > reference to description how to to exploit nagios-nrpe-server with > > dont_blame_nrpe=0 > allow_bash_command_substitution=0 > > I've been searching form CVE at > https://www.cvedetails.com/vulnerability-list/vendor_id-1424/Nagios.html > and only relevant is https://www.cvedetails.com/cve/CVE-2014-2913/ > > but again no way how to exploit when this functionality is disabled - > which is by default in config file. I would prefer to have back package > which do not require recompiling. > > Please take this mail as another voice for returning functionality back > into Debian package. And just to say it again, the package is orphaned. Anyone is free to bring it back. Alex
Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
Hi, I'm another one who spend some time examining why after upgrade is nrpe not working. I've read whole thread about this Bug#756479 and can't find any reference to description how to to exploit nagios-nrpe-server with dont_blame_nrpe=0 allow_bash_command_substitution=0 I've been searching form CVE at https://www.cvedetails.com/vulnerability-list/vendor_id-1424/Nagios.html and only relevant is https://www.cvedetails.com/cve/CVE-2014-2913/ but again no way how to exploit when this functionality is disabled - which is by default in config file. I would prefer to have back package which do not require recompiling. Please take this mail as another voice for returning functionality back into Debian package. Best regards -- --- Jan Tomasek aka Semik http://www.tomasek.cz/
Bug#756479: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
On Sun, 12 Jul 2015, Patrik Schindler wrote: Hello, following the discussion, I see no other option for me than recompile nrpe with command args enabled and set it to hold. About the arguments flowing between the paticipants of this bug report: I don't know about prior discussions. Most Debian users don't know about these. And I think people like Jan Huijsmans and Michal Zelinka are unneccessarily rude. I understand Alexander Wirt. Maintaining software he was somehow pestered into only to get beaten off with decision he made and is supported by the debian security team is not a nice thing. Now everyone is pissed and nrpe_server is orphan. Also not a good way. But I must agree that (from the users's point) silently disabling a feature some people were relying on without any warning is not a good way. What *could* have been done in this case was utilizing a message pop up like some other packages do when substancial an incompatible changes in the software were about to happen with the installation. Could have saved me debugging time. Like the news entry?: nagios-nrpe (2.15-1) unstable; urgency=high This update disables the command-args support in nrpe. The feature has several security problems and is often used wrong. If you have to use this feature recompile the package with --enable-command-args in debian/rules. -- Alexander Wirt formo...@debian.org Tue, 15 Jul 2014 09:52:48 +0200 in a properly configured system with apt-listchanges, this is a popup. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
Hello, following the discussion, I see no other option for me than recompile nrpe with command args enabled and set it to hold. About the arguments flowing between the paticipants of this bug report: I don't know about prior discussions. Most Debian users don't know about these. And I think people like Jan Huijsmans and Michal Zelinka are unneccessarily rude. I understand Alexander Wirt. Maintaining software he was somehow pestered into only to get beaten off with decision he made and is supported by the debian security team is not a nice thing. Now everyone is pissed and nrpe_server is orphan. Also not a good way. But I must agree that (from the users's point) silently disabling a feature some people were relying on without any warning is not a good way. What *could* have been done in this case was utilizing a message pop up like some other packages do when substancial an incompatible changes in the software were about to happen with the installation. Could have saved me debugging time. :wq! PoC -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756479: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
Dear god. Yeah, I see, it just happened. It just happened that ignorants and fools like you just got that privilege to be part of such an important software project like Debian is. Un- fortunately. This mentality of yours and similar is even more dangerous than a payed “feel- free-to-destroy-everyhing” stupid mentality invented in Red Hat. I wish Debian could return back to its bright era again, when it was taken as the most seri- ous player on a Linux field, having a power to produce healthy and useful ideas. This really is NOT the way. On Thu, 31 Jul 2014 17:19:23 +0200 Alexander Wirt formo...@debian.org wrote: On Thu, 31 Jul 2014, Jan Huijsmans wrote: So you solve ignorant users by disabling a feature of the software package. That would leave the choice between recompiling every time there is an update to fix the cripled package, stay at the 2.13 level or ditch Debian after 18 years. As said, feel free to take over the work. I never wanted to maintain nrpe, it just happened. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756479: [Pkg-nagios-devel] Bug#756479: Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
On Sun, 03 Aug 2014, Michal Zelinka wrote: Dear god. Yeah, I see, it just happened. It just happened that ignorants and fools like you just got that privilege to be part of such an important software project like Debian is. Un- fortunately. This mentality of yours and similar is even more dangerous than a payed “feel- free-to-destroy-everyhing” stupid mentality invented in Red Hat. So thats it. Feel free to take whatever crap you want. Consider nrpe orphaned. I won't touch it again. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756479: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
So you solve ignorant users by disabling a feature of the software package. That would leave the choice between recompiling every time there is an update to fix the cripled package, stay at the 2.13 level or ditch Debian after 18 years. On 30/07/14 13:57, Alexander Wirt wrote: tag 756479 wontfix thanks On Wed, 30 Jul 2014, Jan Huijsmans wrote: Package: nagios-nrpe-server Version: 2.15-1 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrade from 2.13-3.1 to 2.15-1 * What exactly did you do (or not do) that was effective (or ineffective)? Downgrade to 2.13-3 * What was the outcome of this action? Listens to dont_blame_nrpe again. * What outcome did you expect instead? From the upgrade, that this wouldn't break. This change is on intention. Please read the NEWS file. Alex -- --- Jan Huijsmans huysm...@koffie.nu ... cannot activate /dev/brain, no response from main coffee server -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756479: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
On Thu, 31 Jul 2014, Jan Huijsmans wrote: So you solve ignorant users by disabling a feature of the software package. That would leave the choice between recompiling every time there is an update to fix the cripled package, stay at the 2.13 level or ditch Debian after 18 years. As said, feel free to take over the work. I never wanted to maintain nrpe, it just happened. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
Package: nagios-nrpe-server Version: 2.15-1 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrade from 2.13-3.1 to 2.15-1 * What exactly did you do (or not do) that was effective (or ineffective)? Downgrade to 2.13-3 * What was the outcome of this action? Listens to dont_blame_nrpe again. * What outcome did you expect instead? From the upgrade, that this wouldn't break. *** End of the template - remove these template lines *** -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (60, 'stable'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.ISO8859-15, LC_CTYPE=en_US.ISO8859-15 (charmap=ISO-8859-15) (ignored: LC_ALL set to en_US.ISO8859-15) Shell: /bin/sh linked to /bin/dash Versions of packages nagios-nrpe-server depends on: ii adduser 3.113+nmu3 ii libc62.19-7 ii libssl1.0.0 1.0.1h-3 ii libwrap0 7.6.q-25 ii lsb-base 4.1+Debian13 Versions of packages nagios-nrpe-server recommends: ii nagios-plugins1.5-3 ii nagios-plugins-basic 1.5-3 nagios-nrpe-server suggests no packages. -- Configuration Files: /etc/nagios/nrpe.cfg changed: log_facility=daemon pid_file=/var/run/nrpe.pid server_port=5666 server_address=* nrpe_user=nagios nrpe_group=nagios allowed_hosts=* dont_blame_nrpe=1 allow_bash_command_substitution=0 debug=0 command_timeout=60 connection_timeout=300 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 include=/etc/nagios/nrpe_local.cfg include_dir=/etc/nagios/nrpe.d/ /etc/nagios/nrpe_local.cfg changed: command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ command[check_load]=/usr/lib/nagios/plugins/check_load --warning=$ARG1$,$ARG2$,$ARG3$ --critical=$ARG4$,$ARG5$,$ARG6$ command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ command[check_mailq_postfix]=/usr/lib/nagios/plugins/check_mailq -w $ARG1$ -c $ARG2$ -M postfix command[check_apt]=/usr/bin/sudo /usr/local/sbin/check-apt-upgrade.pl --run-apt command[check_raid]=/usr/local/sbin/nagios_raid -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#756479: [Pkg-nagios-devel] Bug#756479: nagios-nrpe-server: Ignores dont_blame_nrpe=1
tag 756479 wontfix thanks On Wed, 30 Jul 2014, Jan Huijsmans wrote: Package: nagios-nrpe-server Version: 2.15-1 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrade from 2.13-3.1 to 2.15-1 * What exactly did you do (or not do) that was effective (or ineffective)? Downgrade to 2.13-3 * What was the outcome of this action? Listens to dont_blame_nrpe again. * What outcome did you expect instead? From the upgrade, that this wouldn't break. This change is on intention. Please read the NEWS file. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
