From 134ec653ca1852cab19cf8731e9d65df6dcceabf Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 13:05:43 +0200 Subject: Adding debian version 4.0.3-1. Signed-off-by: Daniel Baumann --- .../02_nrpe.cfg_local-include_support_nrpe.d.patch | 27 ++++++++ debian/patches/07_warn_ssloption.patch | 28 ++++++++ debian/patches/11_reproducible_dh.h.patch | 79 ++++++++++++++++++++++ debian/patches/series | 3 + 4 files changed, 137 insertions(+) create mode 100644 debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch create mode 100644 debian/patches/07_warn_ssloption.patch create mode 100644 debian/patches/11_reproducible_dh.h.patch create mode 100644 debian/patches/series (limited to 'debian/patches') diff --git a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch new file mode 100644 index 0000000..198954b --- /dev/null +++ b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch @@ -0,0 +1,27 @@ +Description: Support nrpe_local.cfg & nrpe.d directory. +Author: Sean Finney +Author: Alexander Wirt +Forwarded: not-needed + +--- a/sample-config/nrpe.cfg.in ++++ b/sample-config/nrpe.cfg.in +@@ -362,6 +362,19 @@ command[check_total_procs]=@pluginsdir@/ + #include_dir= + #include_dir= + ++ ++ ++# local configuration: ++# if you'd prefer, you can instead place directives here ++ ++include=/etc/nagios/nrpe_local.cfg ++ ++# you can place your config snipplets into nrpe.d/ ++# only snipplets ending in .cfg will get included ++ ++include_dir=/etc/nagios/nrpe.d/ ++ ++ + # KEEP ENVIRONMENT VARIABLES + # This directive allows you to retain specific variables from the environment + # when starting the NRPE daemon. diff --git a/debian/patches/07_warn_ssloption.patch b/debian/patches/07_warn_ssloption.patch new file mode 100644 index 0000000..a6f9686 --- /dev/null +++ b/debian/patches/07_warn_ssloption.patch @@ -0,0 +1,28 @@ +Description: Warn against inadequateness of NRPE's own SSL option. +Author: Thijs Kinkhorst +Forwarded: not-needed + +--- a/SECURITY.md ++++ b/SECURITY.md +@@ -91,14 +91,17 @@ Encryption + ---------- + + If you do enable support for command arguments in the NRPE daemon, +-make sure that you encrypt communications either by using: +- +- 1. Stunnel (see http://www.stunnel.org for more info) +- 2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info) ++make sure that you encrypt communications by using, for example, ++Stunnel (see http://www.stunnel.org for more info). + + Do **NOT** assume that just because the daemon is behind a firewall + that you are safe! ***Always encrypt NRPE traffic!*** + ++NOTE: the currently shipped native SSL support of NRPE is not an ++adequante protection, because it does not verify clients and ++server, and uses pregenerated key material. NRPE's SSL option is ++advised against. For more information, see Debian bug #547092. ++ + + Using Arguments + --------------- diff --git a/debian/patches/11_reproducible_dh.h.patch b/debian/patches/11_reproducible_dh.h.patch new file mode 100644 index 0000000..605fb1a --- /dev/null +++ b/debian/patches/11_reproducible_dh.h.patch @@ -0,0 +1,79 @@ +Description: Use pre-generated dh.h for reproducible builds. +Author: Bas Couwenberg +Bug-Debian: https://bugs.debian.org/834857 +Forwarded: not-needed + +--- /dev/null ++++ b/include/dh.h +@@ -0,0 +1,53 @@ ++#ifndef HEADER_DH_H ++# include ++#endif ++ ++DH *get_dh2048() ++{ ++ static unsigned char dhp_2048[] = { ++ 0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA, ++ 0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73, ++ 0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48, ++ 0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8, ++ 0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97, ++ 0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1, ++ 0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62, ++ 0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA, ++ 0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3, ++ 0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3, ++ 0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E, ++ 0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57, ++ 0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD, ++ 0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93, ++ 0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC, ++ 0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8, ++ 0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7, ++ 0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73, ++ 0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51, ++ 0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26, ++ 0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2, ++ 0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9, ++ 0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32, ++ 0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E, ++ 0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF, ++ 0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B ++ }; ++ static unsigned char dhg_2048[] = { ++ 0x02 ++ }; ++ DH *dh = DH_new(); ++ BIGNUM *dhp_bn, *dhg_bn; ++ ++ if (dh == NULL) ++ return NULL; ++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); ++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL ++ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); ++ return NULL; ++ } ++ return dh; ++} +--- a/macros/ax_nagios_get_ssl ++++ b/macros/ax_nagios_get_ssl +@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then + # Find the openssl program + + if test x$need_dh = xyes; then +- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH) + AC_DEFINE(USE_SSL_DH) +- # Generate DH parameters +- if test -f "$sslbin"; then +- echo "" +- echo "*** Generating DH Parameters for SSL/TLS ***" +- # awk to strip off meta data at bottom of dhparam output +- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h +- fi + fi + fi + fi diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..15e2844 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +02_nrpe.cfg_local-include_support_nrpe.d.patch +07_warn_ssloption.patch +11_reproducible_dh.h.patch -- cgit v1.2.3