Bug 31620

Summary: nrpe new security issue CVE-2015-4000
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=26957
Whiteboard: MGA8TOO
Source RPM: nrpe-4.1.0-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-03-02 23:39:13 CET 
SUSE has issued an advisory on March 1:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/013955.html

Note that this package should probably be getting dropped (Bug 26957).

Mageia 8 is also affected.
David Walser 2023-03-02 23:39:43 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=26957
Whiteboard: (none) => MGA8TOO

Comment 1 Guillaume Rousse 2023-03-04 17:35:58 CET 
Neither cauldron nor mageia 8 are affected, they both use 2048 bits DH parameters:

#ifdef USE_SSL_DH
		dh = get_dh2048();
		SSL_CTX_set_tmp_dh(ctx, dh);
		DH_free(dh);
#endif

And the so-called alternative, NCPA, is still incompatible with our packaging standards.

Status: NEW => RESOLVED
Resolution: (none) => INVALID