* Mon Feb 15 2021 ro@suse.de
- fix apparmor profile to allow /run as well as /var/run
* Thu Feb 04 2021 Lars Vogdt <lars@linux-schulserver.de>
- added nrpe-4.0.4-silence_wrong_package_version_messages.patch
NRPE logs 'packet version was invalid' and 'Could not read request
from client' if the NRPE version on the client does not match the
one on the server side.
This patch reduces the importance of the log entry to be just
informal, which should silent most client logs, while it makes
it still available for debugging.
* Fri Jan 22 2021 Lars Vogdt <lars@linux-schulserver.de>
- update to 4.0.3
ENHANCEMENTS
* Added TLSv1.3 and TLSv1.3+ support for systems that have it (Nigel Yong, Rahul Golam)
* Added IPv6 ip address to list of default allow_from hosts (Troy Lea)
* Added -D option to disable logging to syslog (Tom Griep, Sebastian Wolf)
* Added -3 option to force check_nrpe to use NRPE v3 packets
* OpenRC: provide a default path for nrpe.cfg (Michael Orlitzky)
* OpenRC: Use RC_SVCNAME over a hard-coded PID file (j-licht)
FIXES
* Fixed nasty_metachars not being read from config file (#235) (Sebastian Wolf)
* Fixed buffer length calculations/writing past memory boundaries
on some systems (#227, #228) (Andreas Baumann, hariwe, Sebastian Wolf)
* Fixed use of uninitialized variable when validating requests (#229) (hariwe, Sebastian Wolf)
* Fixed syslog flooding with CRC-checking errors when both plugin
and agent were updated to version 4 (Sebastian Wolf)
* Checks for '!' now only occur inside the command buffer (Joni Eskelinen)
* NRPE daemon is more resilient to DOS attacks (Leonid Vasiliev)
* allowed_hosts will no longer test getaddrinfo records against the
wrong protocol (dombenson)
* nasty_metachars will now handle C escape sequences properly when
specified in the config file (Sebastian Wolf)
* Calculated packet sizes now struct padding/alignment when sending
and receiving messages (Sebastian Wolf)
* Buffer sizes are now checked before use in packet size calculation (Sebastian Wolf)
* When using include_dir, individual files' errors do not prevent
the remaining files from being read (Sebastian Wolf)
- refreshed the following patches:
* nrpe-implicit_declaration.patch
* nrpe-improved_help.patch
* nrpe_check_control.patch
- renamed and refreshed the following patches/sources:
* nrpe-3.2.1-disable-chkconfig_in_Makefile.patch
- > nrpe-disable-chkconfig_in_Makefile.patch
* nrpe-3.2.1-static_dh_parameters.patch
- > nrpe-static_dh_parameters.patch
* nrpe-3.2.1-dh.h -> nrpe-dh.h
- enhanced README.SUSE with some words about Apparmor
- added an include directive in usr.sbin.nrpe apparmor config
and a basic local/usr.sbin.nrpe file in the docu-directory
* Tue Jul 28 2020 Thorsten Kukuk <kukuk@suse.com>
- Don't install SuSEfirewall2 service file, SuSEfirewall2 is gone
* Fri Feb 21 2020 lars@linux-schulserver.de
- nrpe.xml firewalld file is handled by firewalld package
- Leap 15.1 is suse_version 1500 (thanks, dimstar)
* Mon Feb 03 2020 Dominique Leuenberger <dimstar@opensuse.org>
- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
shortcut through the -mini flavors.
* Sun Mar 17 2019 Lars Vogdt <lars@linux-schulserver.de>
- Do not package nrpe.xml for Leap 15.0, as it is included in
firewalld package there.
* Sun Feb 17 2019 lars@linux-schulserver.de
- add nrpe.xml snipplet for firewalld
- still ship nrpe snipplet for SuSEfirewalld for now
- use systemd files directly from upstream:
+ drop Requires=var-run.mount line from service file
+ drop nrpe.service
+ drop nrpe.socket
+ do not create tmpfiles.d/nrpe in spec any longer
- handle migration from /etc/nagios/nrpe.cfg to /etc/nrpe.cfg also
for systemd case (triggerun)
- increase warn/crit level for processes to 350/400 in a default
installation
- added patch and dh.h file to NOT re-calculate dh.h parameters
during each build (for reproducable builds).
Can be enable/disable by setting the 'reproducable' build
condition. Default is: "on" for suse_version >= 15
+ nrpe-3.2.1-static_dh_parameters.patch
+ nrpe-3.2.1-dh.h
- use _rundir and _tmpfilesdir macros everywhere
- do not create nagios user/group during install on (open)SUSE
systems and rely on the files section here instead
- rename nagios-nrpe-rpmlintrc and nagios-nrpe-SuSEfirewall2 to
nrpe-rpmlintrc and nrpe-SuSEfirewall2
- simplify rpmlintrc
- build nrpe-doc package as noarch
- specfile cleanup & remove other distribution specials
- disable chkconfig call in Makefile on old distributions
nrpe-3.2.1-disable-chkconfig_in_Makefile.patch
* Mon Jun 04 2018 lars@linux-schulserver.de
- only include %{_sysconfdir}/xinetd.d on newer distributions
(fixes submission of this package as update for SLE12-SP4
and Leap 42.3 - boo#938906)
Version: 3.2.1-bp150.1.5
* Mon Mar 26 2018 dimstar@opensuse.org
- Own %{_sysconfdir}/xinetd.d: filesystem won't own this directory
much longer (boo#1084457).
* Fri Dec 15 2017 obs@botter.cc
- remove additional reference to removed nrpe@.service file
* Wed Dec 06 2017 lars@linux-schulserver.de
- remove unneeded nrpe@.service file
- cleanup the %%pre/%%post commands
* Tue Dec 05 2017 ro@suse.de
- update to 3.2.1:
FIXES
- Change seteuid error messages to warning/debug (Bryan Heden)
- Fix segfault when no nrpe_user is specified (Stephen Smoogen, Bryan Heden)
- Added additional strings to error messages to remove duplicates (Bryan Heden)
- Fix nrpe.spec for rpmbuild (Bryan Heden)
- Fix error for drop_privileges when using inetd (xalasys-luc, Bryan Heden)
- update to 3.2.0:
ENHANCEMENTS
- Added max_commands definition to nrpe.cfg to rate limit simultaneous fork()ed children (Bryan Heden)
- Added -E, --stderr-to-stdout options for check_nrpe to redirect output (Bryan Heden)
- Added support for Gentoo init (Troy Lea @box293)
- Cleaned up code a bit, updated readmes and comments across the board (Bryan Heden)
- Added -V, --version to nrpe and fixed the output (Bryan Heden)
- Added different SSL error messages to be able to pinpoint where some SSL errors occured (Bryan Heden)
- Updated logic in al parse_allowed_hosts (Bryan Heden)
- Added builtin OpenSSL Engine support where available (Bryan Heden + @skrueger8)
- Clean up compilation warnings (Bryan Heden)
- Added more commented commands in nrpe.cfg (Bryan Heden)
FIXES
- Undefined check returns UNKNOWN (Bryan Heden)
- Fix incompatibility with OpenSSL 1.1.0 via SECLEVEL distinction (Bryan Heden)
- Fix ipv4 error in logfile even if address is ipv6 (Bryan Heden)
- Fix improper valid/invalid certificate warnings (Bryan Heden)
* Tue Jul 25 2017 ro@suse.de
- change prereq from /bin/logger to /usr/bin/logger except for
code11 and older
* Mon May 29 2017 lars@linux-schulserver.de
- update to 3.1.1:
FIXES
- The '--log-file=' or '-g' option is missing from the help (John Frickson)
- check_nrpe = segfault when specifying a config file (John Frickson)
- Alternate log file not being used soon enough (John Frickson)
- Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson)
- Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson)
- Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
- Fix build failure with -Werror=format-security (Bas Couwenberg)
- Fixed a typo in `nrpe.spec.in` (John Frickson)
- More detailed error logging for SSL (John Frickson)
- Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson)
- refreshed all patches
* Fri Apr 21 2017 ro@suse.de
- require inet-daemon only if suse_version is set
- call centos macros for systemd
- drop Requires=var-run.mount line from service file on centos
* Fri Apr 21 2017 ro@suse.de
- fix buildrequires for centos:
- tcpd-devel is tcp_wrappers-devel
- kerberos is krb5-devel
* Mon Apr 17 2017 lars@linux-schulserver.de
-update to 3.1.0:
ENHANCEMENTS
- Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson)
- While processing 'include_dir' statement, sort the files (Philippe Kueck / John Frickson)
- nrpe can now write to a log file using 'log_file=' in nrpe.cfg (John Frickson)
- check_nrpe can now write to a log file using '--log-file=' or '-g' options (John Frickson)
FIXES
- Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach)
- Fix help output for ssl option (configure) (Ruben Kerkhof)
- Fixes to README.SSL.md and SECURITY.md (Elan Ruusamäe)
- Changed the 'check_load' command in nrpe.cfg.in (minusdavid)
- Minor change to logging in check_nrpe (John Frickson)
- Removed function `b64_decode` which wasn't being used (John Frickson)
- check_nrpe ignores -a option when -f option is specified (John Frickson)
- Added missing LICENSE file (John Frickson)
- Off-by-one BO in my_system() (John Frickson)
- Add SOURCE_DATE_EPOCH specification support for reproducible builds. (Bas Couwenberg)
- nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ (John Frickson)
- "Remote %s accepted a Version %s Packet", please add to debug (John Frickson)
- nrpe 3.0.1 segfaults when key and/or cert are broken symlinks (John Frickson)
- Fixed a couple of typos in docs/NRPE.* files (Ludmil Meltchev)
- Changed release date to ISO format (yyyy-mm-dd) (John Frickson)
- Fix systemd unit description (Bas Couwenberg)
- Add reload command to systemd service file (Bas Couwenberg)
- fix file not found error when updating version (Sven Nierlein)
- Spelling fixes (Josh Soref)
- Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set (John Frickson)
- xinetd.d parameter causes many messages in log file (John Frickson)
- Fixes for openssl 1.1.x (Stephen Smoogen / John Frickson)
- PATH and other environment variables not set with numeric nrpe_user (John Frickson)
- remove upstreamed patches:
+ nrpe-more_random.patch
+ nrpe-drop_privileges_before_writing_pidfile.patch
+ nrpe-3.0-Makefile_use_DESTDIR.patch
- refreshed other patches
* Wed Dec 07 2016 lars@linux-schulserver.de
- correctly call the systemd macros for all systemd units
* Sun Oct 30 2016 jengelh@inai.de
- Description updates
* Wed Oct 12 2016 ro@suse.de
- add usr.sbin.nrpe as source12 (only example for now)
- call tmpfiles_create in postinstall
- add /run/nrpe as ghost
* Wed Aug 10 2016 lars@linux-schulserver.de
- remove patches that are fixed upstream:
+ nagios-nrpe-buffersize.patch
+ nrpe-weird_output.patch
* Fri Jul 22 2016 lars@linux-schulserver.de
- update to 3.0:
SECURITY
- Fix for CVE-2014-2913
- Added function to clean the environment before forking.
(John Frickson)
ENHANCEMENTS
- Added support for optional config file to check_nrpe. With the new SSL
parameters, the line was getting long. The config file is specified with
- -config-file=<path> or -f <path> parameters. The config file must look
like command line options, but the options can be on separate lines. It
MUST NOT include --config-file (-f), --command (-c) or --args (-a). If any
options are in both the config file and on the command line, the command line
options are used.
- Added "nrpe-uninstall" script to the same directory nrpe get installed to
(John Frickson)
- Added command-line option to prevent forking, since some of the init
replacements (such as systemd, etc.) don't want daemons to fork
(John Frickson)
- Added listen_queue_size as configuration option (Vadim Antipov, Kaspersky Lab)
- Reworked SSL/TLS. See the README.SSL.md file for full info. (John Frickson)
- Added support for version 3 variable sized packets up to 64KB. nrpe will
accept either version from check_nrpe. check_nrpe will try to send a
version 3 packet first, and fall back to version 2. check_nrpe can be forced
to only send version 2 packets if the switch `-2` is used. (John Frickson)
- Added extended timeout syntax in the -t <secs>:<status> format. (ABrist)
FIXES
- check_nrpe does not parse passed arguments correctly (John Frickson)
- NRPE should not start if cannot write pid file (John Frickson)
- Fixed out-of-bounds error (return code 255) for some failures
(John Frickson)
- Connection Timeout and Connection Refused messages need a new line
(Andrew Widdersheim)
- allowed_hosts doesn't work, if one of the hostnames can't be resolved
by dns (John Frickson)
- allowed_hosts doesn't work with a hostname resolving to an IPv6 address
(John Frickson)
- Return UNKNOWN when issues occur (Andrew Widdersheim)
- NRPE returns OK if check can't be executed (Andrew Widdersheim)
- sample configuration for check_load has crazy sample load avg
(ernestoongaro)
- deleted patches:
+ nrpe-xinetd.patch (fixed upstream)
+ nrpe-weird_output.patch (fixed in anothr way upstream)
- refresh all other patches
- added new patch:
+ nrpe-3.0-Makefile_use_DESTDIR.patch (allow DESTDIR)
- added /usr/share/doc/packages/nrpe/examples/update-cfg.pl to allow
easy upgrade of configuration file
* Sun Mar 29 2015 lars@linux-schulserver.de
- add missing (empty) argument to tmpfiles.d file
* Sun Jan 18 2015 lars@linux-schulserver.de
- add reload option to systemd service
- let the tmpfiles config use the tmpdir macro to define the
place of the tmpdir
- use bcond for building with systemd support
* Wed Jul 30 2014 ro@suse.de
- use _rundir macro if available
* Wed Jul 30 2014 obs@botter.cc
- correct user and group setting in systemd service files
- remove unneeded source file nrpe.tempfiles - it is generated
during build on-the-fly
* Wed Jul 30 2014 lars@linux-schulserver.de
- rename nagios-plugins-nrpe to monitoring-plugins-nrpe
- require the monitoring-plugins instead of nagios-plugins packages
* Fri Jul 18 2014 obs@botter.cc
- add systemd service file, and per-connection activation socket
and service file for openSUSE >= 1210, init.d files are supplied
for versions until 1230 including.