Module: check_mk
Branch: master
Commit: 415ac63c1b16c7e5af1630babddb33e8dd5d8680
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=415ac63c1b16c7…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Oct 19 08:21:45 2018 +0200
Removed outdated comment
Change-Id: Idd2c1e27582d98b1a4f0d3b93cf16d4be8a36968
---
cmk/gui/plugins/wato/__init__.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/cmk/gui/plugins/wato/__init__.py b/cmk/gui/plugins/wato/__init__.py
index 9c5a8f9..556cdb2 100644
--- a/cmk/gui/plugins/wato/__init__.py
+++ b/cmk/gui/plugins/wato/__init__.py
@@ -36,9 +36,6 @@ from cmk.plugin_loader import load_plugins
# | |___/ |
# '----------------------------------------------------------------------'
-# TODO: Would be better to replace this star import with an explicit list of
-# names needed for the plugins. Then we would have something like an official
-# plugin API. At least a list of names that are intended to be used by plugins.
from cmk.gui.plugins.wato.utils import (
ACResultCRIT,
ACResultOK,
Module: check_mk
Branch: master
Commit: eb91c585e3e3768990602de0f43eea35c3179679
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=eb91c585e3e376…
Author: Sven Panne <sp(a)mathias-kettner.de>
Date: Thu Oct 18 15:36:20 2018 +0200
6505 FIX Avoid CMC crash during event helper restarts.
When an event helper (for notifications/alerts) should be restarted, the
Check_MK Micro Core could go into an infinite recursion, ultimately leading
to a crash of the CMC itself. This has been fixed.
CMK-1117
Change-Id: I3f474453466abd299ca8cdc1e87140e824c8a120
---
.werks/6505 | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/.werks/6505 b/.werks/6505
new file mode 100644
index 0000000..c661ecc
--- /dev/null
+++ b/.werks/6505
@@ -0,0 +1,15 @@
+Title: Avoid CMC crash during event helper restarts.
+Level: 1
+Component: core
+Compatible: compat
+Edition: cee
+Version: 1.6.0i1
+Date: 1539869658
+Class: fix
+
+When an event helper (for notifications/alerts) should be restarted, the
+Check_MK Micro Core could go into an infinite recursion, ultimately leading
+to a crash of the CMC itself. This has been fixed.
+
+CMK-1117
+
Module: check_mk
Branch: master
Commit: cb28df62e93bcb91c3b077fdd28688cf8701604c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cb28df62e93bcb…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Oct 18 14:52:45 2018 +0200
6788 SEC Notification spooler: Fixed deserialization of arbitrary input
The notification daemon of one site connects to the notification daemon of
another site to exchange notifications between both sites.
The messages that are sent between the notification daemons were encoded in an
insecure format which allowed code injections between the communication
partners. This means it was possible to inject code from one notification
spooler to another.
We have now changed the message format to a secure alternative which prevents
code injections.
To be able to perform this transition without loosing notifications and
preventing subtile incompatibilities we decided to keep the new format disabled
by default for all sites created with Check_MK 1.4 and 1.5. This means your
installation will still be affected by this issue by default after updating.
However, once you have updated all your sites to at least 1.4.0p37 in case of
the 1.4.0 branch or or at least 1.5.0p7 in case of the 1.5.0 branch you can
change the main configuration option "Notification Spooler insecure messages"
to "off" and activate the new configuration. Once you have done this all
notification spoolers will use the new secure message format.
Please note that the 1.6 notification spoolers will always use the new message
format and not be compatible to the old message format of the 1.5 notification
spoolers anymore. If you plan to use 1.5 and 1.6 together during migration you
will have to ensure that you use the new message format in your 1.5 sites.
CMK-1156
Change-Id: I1815c94c24f0063d42985938dbc977dde597e1bb
---
.werks/6788 | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/.werks/6788 b/.werks/6788
new file mode 100644
index 0000000..acfd538
--- /dev/null
+++ b/.werks/6788
@@ -0,0 +1,36 @@
+Title: Notification spooler: Fixed deserialization of arbitrary input
+Level: 2
+Component: notifications
+Class: security
+Compatible: incomp
+Edition: cee
+State: unknown
+Version: 1.6.0i1
+Date: 1539862587
+
+The notification daemon of one site connects to the notification daemon of
+another site to exchange notifications between both sites.
+
+The messages that are sent between the notification daemons were encoded in an
+insecure format which allowed code injections between the communication
+partners. This means it was possible to inject code from one notification
+spooler to another.
+
+We have now changed the message format to a secure alternative which prevents
+code injections.
+
+To be able to perform this transition without loosing notifications and
+preventing subtile incompatibilities we decided to keep the new format disabled
+by default for all sites created with Check_MK 1.4 and 1.5. This means your
+installation will still be affected by this issue by default after updating.
+
+However, once you have updated all your sites to at least 1.4.0p37 in case of
+the 1.4.0 branch or or at least 1.5.0p7 in case of the 1.5.0 branch you can
+change the main configuration option "Notification Spooler insecure messages"
+to "off" and activate the new configuration. Once you have done this all
+notification spoolers will use the new secure message format.
+
+Please note that the 1.6 notification spoolers will always use the new message
+format and not be compatible to the old message format of the 1.5 notification
+spoolers anymore. If you plan to use 1.5 and 1.6 together during migration you
+will have to ensure that you use the new message format in your 1.5 sites.
Module: check_mk
Branch: master
Commit: ec4a5fd821bea17767d538bf58683e66b7f1fb5a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ec4a5fd821bea1…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Oct 18 14:46:39 2018 +0200
6786 SEC Livestatus proxy: Fixed file path traversal vulnerability
The livestatus proxy connects to the livestatus server of remote sites. One task is to
fetch the inventory data of the remote site and replicate it to the master site to make
client accesses faster.
The livestatus proxy was not validating the incoming data correctly which made it possible
for an attacker that has access to the remote sites to compromise the site the livestatus
proxy daemon is running in.
Using this vulnerability it was possible to write write files in directories that are writable
by the liveproxy site user. This could be used to gain access to the liveproxy site.
CMK-1153
Change-Id: Ie4de43fc2f8603ba9f03198384a41291ccee726d
---
.werks/6786 | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/.werks/6786 b/.werks/6786
new file mode 100644
index 0000000..8f0095e
--- /dev/null
+++ b/.werks/6786
@@ -0,0 +1,20 @@
+Title: Livestatus proxy: Fixed file path traversal vulnerability
+Level: 2
+Component: liveproxy
+Class: security
+Compatible: compat
+Edition: cee
+State: unknown
+Version: 1.6.0i1
+Date: 1539844674
+
+The livestatus proxy connects to the livestatus server of remote sites. One task is to
+fetch the inventory data of the remote site and replicate it to the master site to make
+client accesses faster.
+
+The livestatus proxy was not validating the incoming data correctly which made it possible
+for an attacker that has access to the remote sites to compromise the site the livestatus
+proxy daemon is running in.
+
+Using this vulnerability it was possible to write write files in directories that are writable
+by the liveproxy site user. This could be used to gain access to the liveproxy site.
Module: check_mk
Branch: master
Commit: cb1a576289ad7cd96e142b0376a45d6eaaf09a10
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cb1a576289ad7c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Oct 18 09:23:19 2018 +0200
6787 SEC Notification spooler: Fixed file path traversal vulnerability
The notification daemon of one site connects to the notification daemon of another site
to exchange notifications between both sites.
The notification daemon was not validating the incoming data correctly which made it possible
for an attacker that has access to the notification sending site to compromise the receiving
site.
Using this vulnerability it was possible to write write files in directories that are writable
by the receiving site user. This could be used to gain access to the site.
CMK-1157
Change-Id: I20cc050a096e3f93827741a9d162c509d575e6fe
---
.werks/6787 | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/.werks/6787 b/.werks/6787
new file mode 100644
index 0000000..52107b8
--- /dev/null
+++ b/.werks/6787
@@ -0,0 +1,19 @@
+Title: Notification spooler: Fixed file path traversal vulnerability
+Level: 2
+Component: notifications
+Class: security
+Compatible: compat
+Edition: cee
+State: unknown
+Version: 1.6.0i1
+Date: 1539847243
+
+The notification daemon of one site connects to the notification daemon of another site
+to exchange notifications between both sites.
+
+The notification daemon was not validating the incoming data correctly which made it possible
+for an attacker that has access to the notification sending site to compromise the receiving
+site.
+
+Using this vulnerability it was possible to write write files in directories that are writable
+by the receiving site user. This could be used to gain access to the site.
Module: check_mk
Branch: master
Commit: c2a0f4ae0727cd6bacb1b6330f461c2c69125625
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c2a0f4ae0727cd…
Author: Sven Panne <sp(a)mathias-kettner.de>
Date: Thu Oct 18 11:59:02 2018 +0200
Replaced deprecated tuple parameters.
This is a Python-2-only feature, which has been deprecated in PEP 3113 since
2007, see https://www.python.org/dev/peps/pep-3113/. Some tools (e.g.
Bandit) don't like this feature anymore at all, so it's a good time to
remove it.
This is a totally mechanical change done by 2to3's tuple_params fix,
followed by a few naming improvements here and there.
Change-Id: Ibd0a6e616be76c99c42a1a1e3405032f88d63d32
---
bin/mkbackup | 6 +++---
checks/j4p_performance | 6 ++++--
checks/jolokia_metrics | 12 ++++++++----
checks/omd_apache | 2 +-
checks/sap | 6 +++---
cmk/gui/backup.py | 4 ++--
cmk/gui/plugins/metrics/utils.py | 2 +-
cmk/gui/userdb.py | 2 +-
cmk/gui/wato/pages/backup.py | 2 +-
cmk/gui/wato/pages/rulesets.py | 2 +-
cmk/gui/watolib.py | 2 +-
doc/helpers/reindent.py | 3 ++-
12 files changed, 28 insertions(+), 21 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c2a0f4ae07…