I feel like this would be acceptable, from a security standpoint, to enable at build time. It would be disabled by default and upstream makes it clear that it should only be enabled if you know what you're doing:
After reading bug reports and comments on social media, I have to assume that there are users out there that know what they're doing and depend on this feature.
If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362:
There's no need to take this change through the security pocket since the current package is not vulnerable to CVE-2013-1362. It can take the normal SRU route directly to the updates pocket.
I feel like this would be acceptable, from a security standpoint, to enable at build time. It would be disabled by default and upstream makes it clear that it should only be enabled if you know what you're doing:
https:/ /github. com/NagiosEnter prises/ nrpe/blob/ master/ SECURITY. md#command- arguments
After reading bug reports and comments on social media, I have to assume that there are users out there that know what they're doing and depend on this feature.
If this feature is enabled in an SRU, the upload must include the fix for CVE-2013-1362:
https:/ /github. com/NagiosEnter prises/ nrpe/commit/ 5bf9b2047f8e9a8 609c3b95b2e6553 68765e4dd1
There's no need to take this change through the security pocket since the current package is not vulnerable to CVE-2013-1362. It can take the normal SRU route directly to the updates pocket.