summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch24
-rw-r--r--debian/patches/07_warn_ssloption.patch28
-rw-r--r--debian/patches/11_reproducible_dh.h.patch79
-rw-r--r--debian/patches/series3
4 files changed, 134 insertions, 0 deletions
diff --git a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch
new file mode 100644
index 0000000..6c607fd
--- /dev/null
+++ b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch
@@ -0,0 +1,24 @@
+Description: Support nrpe_local.cfg & nrpe.d directory.
+Author: Sean Finney <seanius@debian.org>
+Author: Alexander Wirt <formorer@debian.org>
+Forwarded: not-needed
+
+--- a/sample-config/nrpe.cfg.in
++++ b/sample-config/nrpe.cfg.in
+@@ -359,3 +359,16 @@ command[check_total_procs]=@pluginsdir@/
+
+ #include_dir=<somedirectory>
+ #include_dir=<someotherdirectory>
++
++
++
++# local configuration:
++# if you'd prefer, you can instead place directives here
++
++include=/etc/nagios/nrpe_local.cfg
++
++# you can place your config snipplets into nrpe.d/
++# only snipplets ending in .cfg will get included
++
++include_dir=/etc/nagios/nrpe.d/
++
diff --git a/debian/patches/07_warn_ssloption.patch b/debian/patches/07_warn_ssloption.patch
new file mode 100644
index 0000000..a6f9686
--- /dev/null
+++ b/debian/patches/07_warn_ssloption.patch
@@ -0,0 +1,28 @@
+Description: Warn against inadequateness of NRPE's own SSL option.
+Author: Thijs Kinkhorst <thijs@debian.org>
+Forwarded: not-needed
+
+--- a/SECURITY.md
++++ b/SECURITY.md
+@@ -91,14 +91,17 @@ Encryption
+ ----------
+
+ If you do enable support for command arguments in the NRPE daemon,
+-make sure that you encrypt communications either by using:
+-
+- 1. Stunnel (see http://www.stunnel.org for more info)
+- 2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
++make sure that you encrypt communications by using, for example,
++Stunnel (see http://www.stunnel.org for more info).
+
+ Do **NOT** assume that just because the daemon is behind a firewall
+ that you are safe! ***Always encrypt NRPE traffic!***
+
++NOTE: the currently shipped native SSL support of NRPE is not an
++adequante protection, because it does not verify clients and
++server, and uses pregenerated key material. NRPE's SSL option is
++advised against. For more information, see Debian bug #547092.
++
+
+ Using Arguments
+ ---------------
diff --git a/debian/patches/11_reproducible_dh.h.patch b/debian/patches/11_reproducible_dh.h.patch
new file mode 100644
index 0000000..605fb1a
--- /dev/null
+++ b/debian/patches/11_reproducible_dh.h.patch
@@ -0,0 +1,79 @@
+Description: Use pre-generated dh.h for reproducible builds.
+Author: Bas Couwenberg <sebastic@debian.org>
+Bug-Debian: https://bugs.debian.org/834857
+Forwarded: not-needed
+
+--- /dev/null
++++ b/include/dh.h
+@@ -0,0 +1,53 @@
++#ifndef HEADER_DH_H
++# include <openssl/dh.h>
++#endif
++
++DH *get_dh2048()
++{
++ static unsigned char dhp_2048[] = {
++ 0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA,
++ 0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73,
++ 0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48,
++ 0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8,
++ 0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97,
++ 0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1,
++ 0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62,
++ 0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA,
++ 0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3,
++ 0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3,
++ 0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E,
++ 0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57,
++ 0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD,
++ 0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93,
++ 0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC,
++ 0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8,
++ 0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7,
++ 0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73,
++ 0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51,
++ 0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26,
++ 0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2,
++ 0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9,
++ 0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32,
++ 0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E,
++ 0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF,
++ 0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B
++ };
++ static unsigned char dhg_2048[] = {
++ 0x02
++ };
++ DH *dh = DH_new();
++ BIGNUM *dhp_bn, *dhg_bn;
++
++ if (dh == NULL)
++ return NULL;
++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
++ if (dhp_bn == NULL || dhg_bn == NULL
++ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++ DH_free(dh);
++ BN_free(dhp_bn);
++ BN_free(dhg_bn);
++ return NULL;
++ }
++ return dh;
++}
+--- a/macros/ax_nagios_get_ssl
++++ b/macros/ax_nagios_get_ssl
+@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then
+ # Find the openssl program
+
+ if test x$need_dh = xyes; then
+- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
+ AC_DEFINE(USE_SSL_DH)
+- # Generate DH parameters
+- if test -f "$sslbin"; then
+- echo ""
+- echo "*** Generating DH Parameters for SSL/TLS ***"
+- # awk to strip off meta data at bottom of dhparam output
+- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+- fi
+ fi
+ fi
+ fi
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..15e2844
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,3 @@
+02_nrpe.cfg_local-include_support_nrpe.d.patch
+07_warn_ssloption.patch
+11_reproducible_dh.h.patch