Bug 31620 - nrpe new security issue CVE-2015-4000
Summary: nrpe new security issue CVE-2015-4000
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-02 23:39 CET by David Walser
Modified: 2023-03-04 17:35 CET (History)
0 users

See Also:
Source RPM: nrpe-4.1.0-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-03-02 23:39:13 CET 
SUSE has issued an advisory on March 1:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/013955.html

Note that this package should probably be getting dropped (Bug 26957).

Mageia 8 is also affected.
David Walser 2023-03-02 23:39:43 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=26957
Whiteboard: (none) => MGA8TOO

Comment 1 Guillaume Rousse 2023-03-04 17:35:58 CET 
Neither cauldron nor mageia 8 are affected, they both use 2048 bits DH parameters:

#ifdef USE_SSL_DH
		dh = get_dh2048();
		SSL_CTX_set_tmp_dh(ctx, dh);
		DH_free(dh);
#endif

And the so-called alternative, NCPA, is still incompatible with our packaging standards.

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.