Bug 23212

Summary: nrpe hardcoded 512-bit DH parameters makes it vulnerable to LOGJAM (CVE-2015-4000)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: nrpe-2.15-7.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-06-21 00:04:07 CEST 
SUSE has issued an advisory today (June 20):
http://lists.suse.com/pipermail/sle-security-updates/2018-June/004209.html

I think this is the corresponding upstream issue:
https://github.com/NagiosEnterprises/nrpe/issues/30

So it looks like it was fixed in 2.16.
Comment 1 Guillaume Rousse 2018-07-05 22:25:35 CEST 
nrpe 2.16 seems to have never been released, and I can't find the relevant commits in the git repository (way too much noise). None of the publicly available PR have been merged, in favor of a mysteriouse "complete and backward-compatible" (but unavailable) solution.

So, unless an easy solution is found, this is likely to result in a "won't fix" status.
Comment 2 David Walser 2018-07-06 00:56:40 CEST 
Based on the date of the upstream guy's comment, he might have made a typo and this might have been fixed in 2.15.  I'm fine if you want to close this.
Comment 3 Guillaume Rousse 2018-08-24 21:04:29 CEST 
No available solution in sight, closing.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED