Branch: refs/heads/1.6.0
Home: https://github.com/tribe29/checkmk
Commit: b8d7b671786cb3261d3721aae39e77e69debd1a5
https://github.com/tribe29/checkmk/commit/b8d7b671786cb3261d3721aae39e77e69…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13716
M cmk/gui/valuespec.py
Log Message:
-----------
Pick 13719 Persistant XSS in Notification configuration
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The <i>Alias</i> of a site was not properly escaped when shown as condition for notifications.
To mitigate this vulnerability ensure that only trustwothy users have the
<i>Notification configuration</i> and <i>Site management</i> rights. These are
<i>admin</i> rights by default.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/multisite.d/sites.mk</tt> and <tt>etc/check_mk/conf.d/wato/notifications.mk</tt> for HTML code. Please be
aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Iec421c8c7ef7d0d303d00ed96724da9f6636ef20
Commit: 8c35508f26ab3033a7a511295cef4b319af48923
https://github.com/tribe29/checkmk/commit/8c35508f26ab3033a7a511295cef4b319…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13717
M cmk/gui/wato/pages/rulesets.py
Log Message:
-----------
13717 SEC Persistant XSS in Predefined Conditions
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a <i>Predefined condition</i> is not properly escaped when shown
as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/conf.d/wato/predefined_conditions.mk</tt> for HTML code.
Please be aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Id48483af0639af06ea901e9916877b752da80b70
Compare: https://github.com/tribe29/checkmk/compare/06cfb01a1327...8c35508f26ab
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: e2b1704f1ca490955d6054048ce0a3a57c482a7d
https://github.com/tribe29/checkmk/commit/e2b1704f1ca490955d6054048ce0a3a57…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/base/core_config.py
M cmk/gui/watolib/password_store.py
M cmk/utils/password_store.py
M tests/unit/checks/test_agent_mqtt.py
M tests/unit/cmk/base/test_core_config.py
M tests/unit/cmk/gui/watolib/test_watolib_password_store.py
M tests/unit/cmk/special_agents/test_agent_mqtt.py
Log Message:
-----------
Remove passwords from passwords.mk
The Password data structure we save in passwords.mk now holds the meta
data attributes related to a password store entry. To be consistent with
our Password type we leave the 'password' attribute with an empty string
value in the passwords.mk.
The actual passwords are stored exclusively in the stored_passwords
file.
With this change the stored_passwords file is directly updated when
saving a password change in Setup instead of during the core
configuration creation. To get back the previous behaviour we'll change
the base and core code to read the passwords from a separate file which
gets only updated during the core configuration creation in the next
step.
Change-Id: I9a27f76a31cde56955892daf7a189cec2ce6791c
Commit: be42f5204bf29c7e61d62c45efc935f8abbecf28
https://github.com/tribe29/checkmk/commit/be42f5204bf29c7e61d62c45efc935f8a…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/utils/password_store.py
Log Message:
-----------
Extend module doc string
Change-Id: Ib0ff174aedee29f53daa8194b0c4f6a230af4650
Commit: dae2a8af6e7cb3175f48727b2882fb0cb78ca28d
https://github.com/tribe29/checkmk/commit/dae2a8af6e7cb3175f48727b2882fb0cb…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/base/core_config.py
M cmk/utils/password_store.py
M tests/unit/cmk/special_agents/test_agent_mqtt.py
M tests/unit/cmk/utils/test_password_store.py
Log Message:
-----------
Core helpers are now using helper password store copy
As before, the password store which is used by plugins during
monitoring is now created during "activate changes".
Change-Id: Icd04daa4643fee263a7a17d7b0c2a312fe2a97e1
Commit: 672a34a5461a1366810b585e20acbbd83bfd3471
https://github.com/tribe29/checkmk/commit/672a34a5461a1366810b585e20acbbd83…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/gui/valuespec.py
M cmk/utils/encryption.py
M tests/unit/cmk/gui/test_valuespec.py
A tests/unit/cmk/utils/test_encryption.py
Log Message:
-----------
Generalize valuespec password encrypter
The same logic will be used by the password store in the
next step.
Change-Id: Ieea5ee4b7461ad20e969118f64c60f5576eca134
Compare: https://github.com/tribe29/checkmk/compare/1a09be20ec7d...672a34a5461a
Branch: refs/heads/2.0.0
Home: https://github.com/tribe29/checkmk
Commit: 40a1563de60f452bccce24cf3b7b5c939dcb2b99
https://github.com/tribe29/checkmk/commit/40a1563de60f452bccce24cf3b7b5c939…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13199
M cmk/gui/htmllib.py
M tests/unit/cmk/gui/test_htmllib_html_cls.py
Log Message:
-----------
13199 SEC Persistant XSS in Custom User Attributes
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
While creating or editing a <i>user attribute</i> the <i>Help Text</i> is
subject to HTML injection. Which can be triggerd editing a user.
To mitigate this vulnerability ensure that only trustwothy users have the
<i>User management</i> and <i>Manage custom attributes</i> rights.
Checkmk 1.6 is not subject to this vulnerability, but all 2.0 versions
including 2.0.0p19.
If you have custom HTML code in the <i>Help Text</i> this will no longer be
rendered as HTML, but will be escaped.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/multisite.d/wato/custom_attrs.mk</tt> for HTML code. Please be
aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Ia8e37d61a8a286a24ae8e73d166185a8c46cec9d
Commit: 03152e756198c4663d1f9880ba86c015712d9f18
https://github.com/tribe29/checkmk/commit/03152e756198c4663d1f9880ba86c0157…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13716
M cmk/gui/valuespec.py
Log Message:
-----------
13716 SEC Persistant XSS in Notification configuration
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The <i>Alias</i> of a site was not properly escaped when shown as condition for notifications.
To mitigate this vulnerability ensure that only trustwothy users have the
<i>Notification configuration</i> and <i>Site management</i> rights. These are
<i>admin</i> rights by default.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/multisite.d/sites.mk</tt> and <tt>etc/check_mk/conf.d/wato/notifications.mk</tt> for HTML code. Please be
aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Iba5414babde5b8f7f6b42149ba3bcecb423d42dd
Commit: 2a81ef35050e66bfea4ed2c9084b6e4bb360e868
https://github.com/tribe29/checkmk/commit/2a81ef35050e66bfea4ed2c9084b6e4bb…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13717
M cmk/gui/wato/pages/rulesets.py
Log Message:
-----------
13717 SEC Persistant XSS in Predefined Conditions
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a <i>Predefined condition</i> is not properly escaped when shown
as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/conf.d/wato/predefined_conditions.mk</tt> for HTML code.
Please be aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Id48483af0639af06ea901e9916877b752da80b70
Compare: https://github.com/tribe29/checkmk/compare/357c808d6e54...2a81ef35050e
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: b11bc1b32e045671ae405dbe65dd85da5ed17efb
https://github.com/tribe29/checkmk/commit/b11bc1b32e045671ae405dbe65dd85da5…
Author: Moritz Kiemer <moritz.kiemer(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M agents/cfg_examples/systemd/check-mk-agent-async.service
M agents/cfg_examples/systemd/check-mk-agent@.service
Log Message:
-----------
assimilate systemd units
Change-Id: Icc0dea1c2e4aad66abb89503e672ec736d6668e4
Commit: c6d6d8f65c3a6748f1c58fc53d1f99716284558f
https://github.com/tribe29/checkmk/commit/c6d6d8f65c3a6748f1c58fc53d1f99716…
Author: Lisa Pichler <lisa.pichler(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M tests/unit/cmk/base/plugins/agent_based/test_kube_pod_status.py
Log Message:
-----------
kube_pod_status: unit test: validate check results
* validate check result status
* validate full service summary
Change-Id: I1adbe2c812db538de32ca8d6803e2936a359ea7c
Commit: a0be6a5224166448a28ab28cb570101fa4abbe66
https://github.com/tribe29/checkmk/commit/a0be6a5224166448a28ab28cb570101fa…
Author: Lisa Pichler <lisa.pichler(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/base/plugins/agent_based/kube_pod_status.py
Log Message:
-----------
kube_pod_status: rework container iteration
* Iterate over empty list when corresponding sections are None
* Only iterate over containers that are not running or have not
terminated successfully to determine alternative pod status message
Change-Id: I5dcb0d36b32752ac2287b0841803b857cb3b409d
Commit: 4fcf102d06854b64cc8847fb71b5a0573756e1d8
https://github.com/tribe29/checkmk/commit/4fcf102d06854b64cc8847fb71b5a0573…
Author: Lisa Pichler <lisa.pichler(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/base/plugins/agent_based/kube_pod_status.py
M tests/unit/cmk/base/plugins/agent_based/test_kube_pod_status.py
Log Message:
-----------
kube pod status: add error reason to service details
Change-Id: I430ae51b3f35358798116e006357f65e4c858d6d
Compare: https://github.com/tribe29/checkmk/compare/1af4cf17bb13...4fcf102d0685
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 7cf2fe8f5f38c93bd599868f711c7a78a3dd5e74
https://github.com/tribe29/checkmk/commit/7cf2fe8f5f38c93bd599868f711c7a78a…
Author: Ronny Bruska <ronny.bruska(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/gui/plugins/wato/notifications.py
A cmk/notification_plugins/sms_ip.py
M cmk/notification_plugins/utils.py
A notifications/sms_ip
M tests/unit/cmk/gui/test_gui_config.py
M tests/unit/cmk/gui/wato/test_notification_parameters.py
Log Message:
-----------
First step to new notification plugin for sms
Change-Id: Ia01af949dc5c29857f146045df561dd0f94b15a3
Commit: 1af4cf17bb1323b18f0548b987fce167ef86f3c3
https://github.com/tribe29/checkmk/commit/1af4cf17bb1323b18f0548b987fce167e…
Author: Ronny Bruska <ronny.bruska(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
M cmk/notification_plugins/sms_ip.py
M notifications/sms
Log Message:
-----------
Make old sms notification script use utils, fix request post command
CMA-109
Change-Id: Id3ac9f4181e8387fc4c46fb1b54ca6087e56a910
Compare: https://github.com/tribe29/checkmk/compare/01385fd28e60...1af4cf17bb13