Bug 23212 - nrpe hardcoded 512-bit DH parameters makes it vulnerable to LOGJAM (CVE-2015-4000)
Summary: nrpe hardcoded 512-bit DH parameters makes it vulnerable to LOGJAM (CVE-2015-...
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-21 00:04 CEST by David Walser
Modified: 2018-08-24 21:04 CEST (History)
0 users

See Also:
Source RPM: nrpe-2.15-7.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-06-21 00:04:07 CEST 
SUSE has issued an advisory today (June 20):
http://lists.suse.com/pipermail/sle-security-updates/2018-June/004209.html

I think this is the corresponding upstream issue:
https://github.com/NagiosEnterprises/nrpe/issues/30

So it looks like it was fixed in 2.16.
Comment 1 Guillaume Rousse 2018-07-05 22:25:35 CEST 
nrpe 2.16 seems to have never been released, and I can't find the relevant commits in the git repository (way too much noise). None of the publicly available PR have been merged, in favor of a mysteriouse "complete and backward-compatible" (but unavailable) solution.

So, unless an easy solution is found, this is likely to result in a "won't fix" status.
Comment 2 David Walser 2018-07-06 00:56:40 CEST 
Based on the date of the upstream guy's comment, he might have made a typo and this might have been fixed in 2.15.  I'm fine if you want to close this.
Comment 3 Guillaume Rousse 2018-08-24 21:04:29 CEST 
No available solution in sight, closing.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.