Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 09c3d357074169464f802e646f63c87c17b8957d
https://github.com/tribe29/checkmk/commit/09c3d357074169464f802e646f63c87c1…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
M cmk/gui/watolib/activate_changes.py
Log Message:
-----------
Fix endless waiting for `omd-config-change`
The central site waits for a omd-config-change job, but the job is never
started when the settings are empty.
Change-Id: I3dabf207c40789bfcd0f6e8ba47b01af3b55b912
Commit: 761035ec3271b3c3f21864be386445a60d5bbcbd
https://github.com/tribe29/checkmk/commit/761035ec3271b3c3f21864be386445a60…
Author: Sven Panne <sven.panne(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
M livestatus/src/DynamicEventConsoleReplicationColumn.cc
M livestatus/src/Store.cc
M livestatus/src/Store.h
Log Message:
-----------
Unify EC communication code a little bit.
Change-Id: I3e902acfedf272ddc1cbb7bea82eb8a2ea692834
Compare: https://github.com/tribe29/checkmk/compare/bdc0dee66e9f...761035ec3271
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: bdc0dee66e9f7a564c422a973c09de6c1edfa0e3
https://github.com/tribe29/checkmk/commit/bdc0dee66e9f7a564c422a973c09de6c1…
Author: Sven Panne <sven.panne(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
A .werks/14686
M livestatus/src/EventConsoleConnection.cc
Log Message:
-----------
14686 FIX Added timeout to event console communication
An unresponsive event console could eat up Livestatus connections and even
cause a deadlock during the shutdown of the monitoring core. Now there is
timeout of 10s, after that you get a timeout error for the Livestatus
query or action.
Change-Id: Id2f4c1c0e2e146ded29217fc1482110ad1981a20
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: fe16cc87f17926e6d45b0bf159db63eb347bbf94
https://github.com/tribe29/checkmk/commit/fe16cc87f17926e6d45b0bf159db63eb3…
Author: Mathias Laurin <mathias.laurin(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
M cmk/base/agent_based/checking/active.py
M cmk/base/agent_based/checking/commandline.py
M cmk/base/agent_based/discovery/active.py
M cmk/base/agent_based/discovery/commandline.py
M cmk/base/agent_based/error_handling.py
M cmk/base/agent_based/inventory/active.py
M tests/unit/cmk/base/agent_based/test_error_handling.py
Log Message:
-----------
Remove HostConfig dep from error_handling
CMK-10515
Change-Id: Ia0fc6ae1218cf0bebdfed075f7ba314ee44e01ba
Commit: 58604c592dee3c2534466cb25e44c7386dd4bf9c
https://github.com/tribe29/checkmk/commit/58604c592dee3c2534466cb25e44c7386…
Author: Mathias Laurin <mathias.laurin(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
M cmk/base/agent_based/error_handling.py
Log Message:
-----------
Remove base deps from error_handling
CMK-10515
Change-Id: I8c8b17e9c160d24ae46dbdae6b4640298743f311
Commit: 4b46e75007afa45f5f2641057548db455fc8fcc9
https://github.com/tribe29/checkmk/commit/4b46e75007afa45f5f2641057548db455…
Author: Mathias Laurin <mathias.laurin(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
M cmk/base/agent_based/checking/_checking.py
M cmk/base/config.py
M tests/unit/cmk/base/agent_based/checking/test_checking.py
M tests/unit/cmk/base/test_config.py
Log Message:
-----------
Move `get_clustered_service_node_keys()` to its single caller
The function was on ConfigCache but had a single call-site. This
patch moves the function where it's actually needed. This improves
the cohesion of `agent_based`. Also, the `HostKey` type is now
only used in `agent_based`.
CMK-10515
Change-Id: Ie404877d28431d69722d0c27ef7664ac15e77c18
Compare: https://github.com/tribe29/checkmk/compare/b981b97cc86f...4b46e75007af
Branch: refs/heads/2.0.0
Home: https://github.com/tribe29/checkmk
Commit: 76cbbba5482442d6bd85844b95075f566fb0efa6
https://github.com/tribe29/checkmk/commit/76cbbba5482442d6bd85844b95075f566…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
A .werks/14919
Log Message:
-----------
14919 SEC Do not log host secret (2)
Unfortunately Werk #14916 was insufficient.
Therefore the vulnerability still exists.
This Werk fixes the problem.
When using the <i>Agent updater</i> the Checkmk server needs a secret in order to allow the agent to download new agents.
For security reasons this secret is unique for each host and generated with the <tt>cmk-update-agent register</tt> command.
Unfortunately the generated host secret was written to the cmk-update-agent.log.
This logfile is not protected and usually world-readable.
With this secret one can download the current agent from the Checkmk server.
Included in that agent package are the plugin configs which can contain other secrets. (e.g. database credentials)
Mitigations without updating:
LI: Reregister the agent-updater. Then sanitize the cmk-update-agent.log files.
LI: If you cannot rule out that any unauthorized user read <tt>/var/lib/check_mk_agent/cmk-update-agent.log</tt> respectively <tt>C:\ProgramData\checkmk\agent\log\cmk-update-agent.log</tt> you should rotate all secrets that might be or were included in the agent configurations.
Steps needed with the update:
LI: Update your agent.
LI: Reregister the agent-updater.
All versions including 1.5 are subject to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.
We calculated a CVSS 3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Change-Id: I0451ef054f04ca77257ca8d46bd1cb1c6d87acfe
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: 95d3f06ae22181d5cf52baf6ad2ec10e0e3fdc41
https://github.com/tribe29/checkmk/commit/95d3f06ae22181d5cf52baf6ad2ec10e0…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-10-31 (Mon, 31 Oct 2022)
Changed paths:
A .werks/14919
Log Message:
-----------
14919 SEC Do not log host secret (2)
Unfortunately Werk #14916 was insufficient.
Therefore the vulnerability still exists.
This Werk fixes the problem.
When using the <i>Agent updater</i> the Checkmk server needs a secret in order to allow the agent to download new agents.
For security reasons this secret is unique for each host and generated with the <tt>cmk-update-agent register</tt> command.
Unfortunately the generated host secret was written to the cmk-update-agent.log.
This logfile is not protected and usually world-readable.
With this secret one can download the current agent from the Checkmk server.
Included in that agent package are the plugin configs which can contain other secrets. (e.g. database credentials)
Mitigations without updating:
LI: Reregister the agent-updater. Then sanitize the cmk-update-agent.log files.
LI: If you cannot rule out that any unauthorized user read <tt>/var/lib/check_mk_agent/cmk-update-agent.log</tt> respectively <tt>C:\ProgramData\checkmk\agent\log\cmk-update-agent.log</tt> you should rotate all secrets that might be or were included in the agent configurations.
Steps needed with the update:
LI: Update your agent.
LI: Reregister the agent-updater.
All versions including 1.5 are subject to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.
We calculated a CVSS 3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Change-Id: I0451ef054f04ca77257ca8d46bd1cb1c6d87acfe