[Bug 1380229] Re: Potential Vulnerability for X509 Certificate Verification
Markus Frosch
markus at lazyfrosch.de
Sun Oct 19 11:09:38 UTC 2014
Nagios NRPE does not have any usage of x509 certificates.
The TLS code is broken by design and never has been secure. This is
known for years.
Only thing the tool does is to initiate a "crypted" connection based on
a on compile time generated DH key, no verification whatsoever.
This is a major upstream design flaw and can't be fixed just with a
patch.
There is a long discussion on the Debian bug tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547092
** Bug watch added: Debian Bug tracker #547092
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547092
** Changed in: nagios-nrpe (Ubuntu)
Status: New => Opinion
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nagios-nrpe in Ubuntu.
https://bugs.launchpad.net/bugs/1380229
Title:
Potential Vulnerability for X509 Certificate Verification
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1380229/+subscriptions
More information about the Ubuntu-server-bugs
mailing list