[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#855857: marked as done (unblock: nagios-plugins-contrib/21.20170222)



Your message dated Sun, 26 Feb 2017 17:37:42 +0000
with message-id <20170226173742.7u7yhwlb7rkwf5vl@powdarrmonkey.net>
and subject line Re: Bug#855857: unblock: nagios-plugins-contrib/21.20170222
has caused the Debian Bug report #855857,
regarding unblock: nagios-plugins-contrib/21.20170222
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
855857: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855857
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nagios-plugins-contrib

We had to fix several plugins:
- check_raid: failed to work with EPN, #851351
- check_raid: detection of broken hotspares fails for mdadm raids.
  #855054
- check_ssl_cert: broken due to changes introduced with openssl 1.1.
  #855253
  I've added an autopkgtest to ensure that such issues are detected
  earlier.
- check_cert_expire_dirs failed to find check_cert_expire, so it did not
  work at all. #855155

A diff between 20.20170118 and 21.20170222 is attached.

Thanks,

Bernd


unblock nagios-plugins-contrib/21.20170222

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F
diff --git a/check_ssl_cert/tests b/check_ssl_cert/tests
new file mode 100644
index 0000000..5417af1
--- /dev/null
+++ b/check_ssl_cert/tests
@@ -0,0 +1,2 @@
+Depends: openssl, curl, file
+Test-Command: /usr/lib/nagios/plugins/check_ssl_cert -H www.debian.org
diff --git a/debian/changelog b/debian/changelog
index 5e48333..c6fb690 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+nagios-plugins-contrib (21.20170222) unstable; urgency=medium
+
+  [ Bernd Zeimetz ]
+  * [5091e4a] Disable EPN for check_raid.
+    Thanks to Daniel Pocock (Closes: #851351)
+  * [5bdff51] check_raid: fix failed mdadm hotspare detection.
+    Thanks to Sascha Steinbiss (Closes: #855054)
+  * [5232be1] percona-nagios-plugins: fix bashism.
+    Thanks to Raphael Geissert (Closes: #772278)
+
+  [ Stefan Schörghofer ]
+  * [6495faa] Fixes check_ssl_cert problems with Openssl > 1.1.x
+    (Closes: #855253)
+
+  [ Bernd Zeimetz ]
+  * [bf4fb49] Add autopkgtest for check_ssl_cert.
+  * [9aacdb6] Auto update of debian/tests/control
+  * [0d7ac29] Fix check_cert_expire_dirs to make it work at all.
+    check_cert_expire_dirs was not able to find
+    check_cert_expire. Fixing that. (Closes: #855155)
+
+ -- Bernd Zeimetz <bzed@debian.org>  Wed, 22 Feb 2017 14:32:22 +0100
+
 nagios-plugins-contrib (20.20170118) unstable; urgency=medium
 
   [ Evgeni Golov ]
diff --git a/debian/patches/check_raid/fix_mdadm_hotspare_failure_detection b/debian/patches/check_raid/fix_mdadm_hotspare_failure_detection
new file mode 100644
index 0000000..c81437a
--- /dev/null
+++ b/debian/patches/check_raid/fix_mdadm_hotspare_failure_detection
@@ -0,0 +1,11 @@
+--- a/check_raid/check_raid
++++ b/check_raid/check_raid
+@@ -3661,7 +3661,7 @@ $fatpacked{"App/Monitoring/Plugin/CheckR
+   		} elsif (@fd > 0) {
+   			# FIXME: this is same as above?
+   			$this->warning;
+-  			$s .= "hot-spare failure:". join(",", @{$md{failed_disks}}) .":$md{status}";
++			$s .= "hot-spare failure:". join(",", @fd) .":$md{status}";
+   
+   		} else {
+   			$s .= "$md{status}";
diff --git a/debian/patches/check_raid/no_epn b/debian/patches/check_raid/no_epn
new file mode 100644
index 0000000..9ce8a44
--- /dev/null
+++ b/debian/patches/check_raid/no_epn
@@ -0,0 +1,8 @@
+--- a/check_raid/check_raid
++++ b/check_raid/check_raid
+@@ -1,4 +1,5 @@
+ #!/usr/bin/perl
++# nagios: -epn
+ 
+ # This chunk of stuff was generated by App::FatPacker. To find the original
+ # file's code, look for the end of this BEGIN block or the string 'FATPACK'
diff --git a/debian/patches/check_ssl_cert/bug-855253-fix b/debian/patches/check_ssl_cert/bug-855253-fix
new file mode 100644
index 0000000..c0408f9
--- /dev/null
+++ b/debian/patches/check_ssl_cert/bug-855253-fix
@@ -0,0 +1,196 @@
+--- a/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
++++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
+@@ -969,8 +969,12 @@
+ 
+     if [ -n "${OCSP}" ] ; then
+ 
+-        ISSUER_CERT="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
+-        if [ -z "${ISSUER_CERT}" ] || [ ! -w "${ISSUER_CERT}" ] ; then
++        ISSUER_CERT_TMP="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
++        if [ -z "${ISSUER_CERT_TMP}" ] || [ ! -w "${ISSUER_CERT_TMP}" ] ; then
++            unknown 'temporary file creation failure.'
++        fi
++        ISSUER_CERT_TMP2="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
++        if [ -z "${ISSUER_CERT_TMP2}" ] || [ ! -w "${ISSUER_CERT_TMP2}" ] ; then
+             unknown 'temporary file creation failure.'
+         fi
+ 
+@@ -992,7 +996,7 @@
+ 
+     # Cleanup before program termination
+     # Using named signals to be POSIX compliant
+-    trap 'rm -f $CERT $ERROR $ISSUER_CERT' EXIT HUP INT QUIT TERM
++    trap 'rm -f $CERT $ERROR $ISSUER_CERT_TMP $ISSUER_CERT_TMP2' EXIT HUP INT QUIT TERM
+ 
+     fetch_certificate
+ 
+@@ -1348,8 +1352,11 @@
+     # Check the validity
+     if [ -z "${NOEXP}" ] ; then
+ 
++        if [ -n "${DEBUG}" ] ; then
++            echo "[DBG] Checking expiration date"
++        fi
+         # We always check expired certificates
+-        if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 ; then
++        if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 > /dev/null ; then
+             critical "certificate is expired (was valid until $DATE)"
+         fi
+ 
+@@ -1359,7 +1366,7 @@
+                 echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( CRITICAL * 86400 ))"
+             fi
+ 
+-            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) ; then
++            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) > /dev/null ; then
+                 critical "certificate will expire on $DATE"
+             fi
+ 
+@@ -1371,7 +1378,7 @@
+                 echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( WARNING * 86400 ))"
+             fi
+ 
+-            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) ; then
++            if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) > /dev/null ; then
+                 warning "certificate will expire on $DATE"
+             fi
+ 
+@@ -1504,34 +1511,36 @@
+     if [ -n "${OCSP}" ]; then
+ 
+ 	if [ -n "${DEBUG}" ] ; then
+-	    echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT}"
++	    echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT_TMP}"
+ 	fi
+ 	
+-        curl --silent "${ISSUER_URI}" > "${ISSUER_CERT}"
++        curl --silent "${ISSUER_URI}" > "${ISSUER_CERT_TMP}"
+ 
+ 	if [ -n "${DEBUG}" ] ; then
+-	    echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT}" | sed 's/.*://' )"
++	    echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ 	fi
+ 	
+ 	# check the result
+-	if ! "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': (ASCII|PEM)' ; then
++	if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': (ASCII|PEM)' ; then
+ 	
+-            if "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': data' ; then
++            if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': data' ; then
+ 		
+ 		if [ -n "${DEBUG}" ] ; then
+ 		    echo "[DBG] OCSP: converting issuer certificate from DER to PEM"
+ 		fi
+ 		
+-		openssl x509 -inform DER -outform PEM -in "${ISSUER_CERT}" -out "${ISSUER_CERT}"
++    cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
++
++    $OPENSSL x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
+ 
+-	    else
++	else
+ 
+ 		unknown "Unable to fetch OCSP issuer certificate."
+ 
+-	    fi
++	fi
+ 		
+ 		
+-        fi
++    fi
+ 
+ 	if [ -n "${DEBUG}" ] ; then
+ 
+@@ -1543,7 +1552,7 @@
+ 	    
+ 	    echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
+ 	    
+-	    cp "${ISSUER_CERT}" "${FILE_NAME}"
++	    cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
+ 	fi
+ 	
+         OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s@.*//\([^/]\+\)\(/.*\)\?\$@\1@g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
+@@ -1563,33 +1572,54 @@
+ 		echo "[DBG] openssl ocsp support the -header option"
+ 	    fi
+ 	    
++      # the -header option was first accepting key and value separated by space. The newer versions are using key=value
++      KEYVALUE=""
++      if openssl ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
++          if [ -n "${DEBUG}" ] ; then
++              echo "[DBG] openssl ocsp -header requires 'key=value'"
++          fi
++          KEYVALUE=1
++      else
++          if [ -n "${DEBUG}" ] ; then
++              echo "[DBG] openssl ocsp -header requires 'key value'"
++          fi
++      fi  
++
+ 	    # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
+ 	    # shellcheck disable=SC2154
+ 	    if [ -n "${http_proxy}" ] ; then
+ 		HTTP_PROXY="${http_proxy}"
+ 	    fi
+ 
+-            if [ -n "${HTTP_PROXY:-}" ] ; then
++      if [ -n "${HTTP_PROXY:-}" ] ; then
++          if [ -n "${KEYVALUE}" ] ; then          
++              if [ -n "${DEBUG}" ] ; then
++                  echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
++              fi
++              OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
++          else
++              if [ -n "${DEBUG}" ] ; then
++                  echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
++              fi
++              OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ 		
+-		if [ -n "${DEBUG}" ] ; then
+-		    echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+-		fi
+-
+-                OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 | grep -i "ssl_cert")"
+-
+-            else
+-		
+-		if [ -n "${DEBUG}" ] ; then
+-		    echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+-		fi
+-
+-                OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 | grep -i "ssl_cert")"
++		      fi
++      fi
+ 
+-
+-            fi
++      if [ -n "${KEYVALUE}" ] ; then
++          if [ -n "${DEBUG}" ] ; then
++              echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
++          fi
++          OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
++      else
++          if [ -n "${DEBUG}" ] ; then
++              echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
++          fi
++              OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
++      fi
+ 	    
+ 	    if [ -n "${DEBUG}" ] ; then
+-		echo "[DBG] OCSP: response = ${OCSP_RESP}"	
++		      echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
+ 	    fi
+ 	    
+             if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+@@ -1597,9 +1627,9 @@
+             elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then	    
+ 	    
+                 if [ -n "${HTTP_PROXY:-}" ] ; then
+-                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+                 else
+-                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++                    OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+                 fi
+ 		critical "${OCSP_RESP}"
+ 	    
diff --git a/debian/patches/dsa/check_cert_expire_dir_check_name_fix b/debian/patches/dsa/check_cert_expire_dir_check_name_fix
new file mode 100644
index 0000000..6d8cb38
--- /dev/null
+++ b/debian/patches/dsa/check_cert_expire_dir_check_name_fix
@@ -0,0 +1,14 @@
+--- a/dsa/checks/dsa-check-cert-expire-dir
++++ b/dsa/checks/dsa-check-cert-expire-dir
+@@ -26,9 +26,9 @@
+ 
+ sn="$0"
+ if [ "${sn%/*}" = "$sn" ]; then
+-  CERT_CHECK=dsa-check-cert-expire
++  CERT_CHECK=check_cert_expire
+ else
+-  CERT_CHECK="${sn%/*}/dsa-check-cert-expire"
++  CERT_CHECK="${sn%/*}/check_cert_expire"
+ fi
+ 
+ if [ "$#" != 1 ] ; then
diff --git a/debian/patches/percona-nagios-plugins/fix_bashism b/debian/patches/percona-nagios-plugins/fix_bashism
new file mode 100644
index 0000000..ec431a2
--- /dev/null
+++ b/debian/patches/percona-nagios-plugins/fix_bashism
@@ -0,0 +1,8 @@
+--- a/percona-nagios-plugins/nagios/bin/pmp-check-mysql-ts-count
++++ b/percona-nagios-plugins/nagios/bin/pmp-check-mysql-ts-count
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ 
+ # ########################################################################
+ # This program is part of $PROJECT_NAME$
diff --git a/debian/patches/series b/debian/patches/series
index ca6f2f8..43e32e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+dsa/check_cert_expire_dir_check_name_fix
 dsa/check_running_kernel_jessie_centos_fix
 check_ajp/return_critical_on_failed_connection
 check_backuppc/use_nagios_plugins
@@ -43,10 +44,13 @@ dsa/check_packages_location
 dsa/status_directory
 dsa/check_packages-inifile
 dsa/epn
-
 dsa/check_packages_,_fix
 check_cups/ParseDateDelta
 check_printer/epn
 check_nfsmounts/nfs4_support
 check_httpd_status/htdigest_auth
 check_varnish/fix_for_v5
+check_raid/no_epn
+check_raid/fix_mdadm_hotspare_failure_detection
+percona-nagios-plugins/fix_bashism
+check_ssl_cert/bug-855253-fix
diff --git a/debian/tests/control b/debian/tests/control
index bcc9ecc..0fa3aa0 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -19,6 +19,9 @@ Restrictions: needs-root, allow-stderr, isolation-container
 Depends: lsof, libyaml-syck-perl, @
 Test-Command: /usr/lib/nagios/plugins/check_libs
 
+Depends: openssl, curl, file, @
+Test-Command: /usr/lib/nagios/plugins/check_ssl_cert -H www.debian.org
+
 Depends: libmonitoring-plugin-perl | libnagios-plugin-perl, @
 Test-Command: /usr/lib/nagios/plugins/check_uptime -f
 

--- End Message ---
--- Begin Message ---
On Wed, Feb 22, 2017 at 03:06:17PM +0100, Bernd Zeimetz wrote:
> 
> Please unblock package nagios-plugins-contrib
> 
> We had to fix several plugins:
> - check_raid: failed to work with EPN, #851351
> - check_raid: detection of broken hotspares fails for mdadm raids.
>   #855054
> - check_ssl_cert: broken due to changes introduced with openssl 1.1.
>   #855253
>   I've added an autopkgtest to ensure that such issues are detected
>   earlier.
> - check_cert_expire_dirs failed to find check_cert_expire, so it did not
>   work at all. #855155
> 
> A diff between 20.20170118 and 21.20170222 is attached.

Unblocked.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---

Reply to: