Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 255cb0374e9c71d4d3adf1b2e723f7f0b48db118
https://github.com/tribe29/checkmk/commit/255cb0374e9c71d4d3adf1b2e723f7f0b…
Author: Frans Fürst <frans.fuerst(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
A .werks/13262
M cmk/base/plugins/agent_based/ipmi.py
Log Message:
-----------
13262 FIX Missing failure indicator in IPMI status messages
The IPMI sensor check would result in an OK state when confronted with a status
message like this:
"ok (Presence detected, Predictive failure, Power Supply AC lost)"
This change adds more substrings indicating an error and renders a service with
the above string CRIT.
Change-Id: I495d270762a74b088e8d3cfeda11dc7e851664e1
Commit: d5cf768d276e694b61d1b0b8144b2627cb8d038d
https://github.com/tribe29/checkmk/commit/d5cf768d276e694b61d1b0b8144b2627c…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M cmk/cmkpasswd.py
M tests/unit/conftest.py
Log Message:
-----------
cmk-passwd: -V for version
for consistency with 2.1
Change-Id: I0533d42102505afc33df1cd7835801c3e3d435b3
Compare: https://github.com/tribe29/checkmk/compare/45ccd1b67b2b...d5cf768d276e
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: e0f54aa0055b3c34eee5c814ab22f43ba756434b
https://github.com/tribe29/checkmk/commit/e0f54aa0055b3c34eee5c814ab22f43ba…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M tests/unit/cmk/gui/test_userdb.py
M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py
Log Message:
-----------
Remove unnecessary fixtures
The fixture is already auto-applied in conftest
Change-Id: I6adb4bbcd9e43d59420038ac1f44bc26097a7deb
Commit: 5003fec0359488b6ff794d9acddef3f449749303
https://github.com/tribe29/checkmk/commit/5003fec0359488b6ff794d9acddef3f44…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
A .werks/14390
M cmk/gui/plugins/userdb/htpasswd.py
M cmk/utils/crypto/password_hashing.py
M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py
M tests/unit/cmk/utils/crypto/test_password_hashing.py
Log Message:
-----------
14390 Automatically update deprectated password hashes
Deprecated hashes of user passwords stored in the htpasswd file will now
be automatically updated to a more modern hash format when the
respective user logs in. Specifically, password hashes created with the
sha256-crypt algorithm will be udpated to bcrypt hashes.
sha256-crypt hashes are still considered secure for password hashing.
However, we want to migrate all users' password hashes to the more
modern bcrypt algorithm. For users whose passwords are hashed with
sha256-crypt we can do so automatically in the background when they
authenticate successfully.
Older and less secure password hashes, such as MD5, are not updated
automatically.
CMK-11528
Change-Id: I53f65fc539a10bef38aba0a677fbfc8c3b07420e
Commit: 5cce0ef57881a5df091a31b2eaf025428df3f3d4
https://github.com/tribe29/checkmk/commit/5cce0ef57881a5df091a31b2eaf025428…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
A .werks/14391
M cmk/update_config.py
M cmk/utils/crypto/password_hashing.py
M tests/unit/cmk/test_update_config.py
M tests/unit/cmk/utils/crypto/test_password_hashing.py
Log Message:
-----------
14391 SEC Require password change for old password hashes
Local users whose passwords are hashed with insecure hash functions in
the htpasswd file will be required to change their passwords on their
next login.
Users that authenticate via other mechanisms, such as LDAP, are not
affected by this.
Starting from version 2.2, Checkmk will no longer support validating
password hashes of deprecated and insecure hash algorithms. In order to
avoid situations where users are unable to log in (and require manually
resetting their password by an administrator), users whose passwords are
currently hashed with any of the affected hash algorithms will be
required to set a new password.
A warning message including all affected usernames will be displayed to
the administrator running the `omd update` command. You can use this
list to contact these users and selectively inform them that they will
be required to change their password during their next UI login. In case
they do not change their password before Checkmk is upgraded to version
2.2, these users will not be able to log in anymore after the upgrade
and an administrator will have to reset the password.
The following hash algorithms that are currently still supported are
affected: des-crypt, MD5-crypt, Apr MD5-crypt. Passwords hashed with
sha256-crypt will not require resetting the password but will be updated
automatically on the user's next login (see Werk #14390).
New passwords will be hashed with bcrypt.
Should you wish to manually change a user's password via the CLI, please
be aware of the newly introduced `cmk-passwd` utility (see Werk #14389).
Even though this Werk is related to security, it does not fix any
exploitable issue. Hence, we assign a CVSS score of 0 (None)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
CMK-11529, CMK-11530
Change-Id: Ic14a9ffb5bb91cfbb3ac27ae62efdcd4a7db9b81
Compare: https://github.com/tribe29/checkmk/compare/e53f2e9f3e66...5cce0ef57881
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: 74c4b03be93dee3fb12dc4043a0efe238bc0abc9
https://github.com/tribe29/checkmk/commit/74c4b03be93dee3fb12dc4043a0efe238…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
A .werks/14300
M omd/packages/appliance/webconf_snapin.py
Log Message:
-----------
14300 Make appliance snapin compatible with Checkmk Appliance firmware 1.6+
When Checkmk is used on on the Checkmk Appliance 1.6 or newer, it is necessary
to update the appliance sidebar snapin.
Previous Checkmk versions displayed the error message 'Failed to render navigation:
Traceback (most recent call last): File: "[stdin]", line 2, in <module>
IOError: [Errno 2] No such file or directory' in the sidebar snapin.
Background: The Checkmk Appliance firmware 1.6 migrates the internal software
stack to Python 3.7 which makes it incompatible with the previous snapin. This
change makes it possible to use Checkmk on older and newer appliance firmware.
Change-Id: Iee4b423091b387e914547523d6fad496710e4b5d
Commit: ac941c5a324877d6bfa08bd8e941fa6e1a92d625
https://github.com/tribe29/checkmk/commit/ac941c5a324877d6bfa08bd8e941fa6e1…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M .werks/14458
Log Message:
-----------
Synchronize Werks
Change-Id: I7e9eb6c2593ef2f5e782e93a8a01228161d9c739
Commit: e53f2e9f3e66b78ad8a0f8010a7c8b162ee828d1
https://github.com/tribe29/checkmk/commit/e53f2e9f3e66b78ad8a0f8010a7c8b162…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M .werks/14087
Log Message:
-----------
Synchronize Werks
Change-Id: Idc62ad6dd5c03109e95e5c2401d27cab66dfa78d
Compare: https://github.com/tribe29/checkmk/compare/a0b63e0dc125...e53f2e9f3e66
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: d790f8c94f5c6cbcf1c67cbc3ea485e959950e77
https://github.com/tribe29/checkmk/commit/d790f8c94f5c6cbcf1c67cbc3ea485e95…
Author: Sebastian Kirchmeyer <sebastian.kirchmeyer(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M .werks/13508
Log Message:
-----------
corrected path to cached_profile.mk
Change-Id: I03dc391b6b00a6bb021e7de2242fb35dbbec0012
Commit: f7542ef88a2c2f125b78b04ff9d7c3117453f0c7
https://github.com/tribe29/checkmk/commit/f7542ef88a2c2f125b78b04ff9d7c3117…
Author: Frans Fürst <frans.fuerst(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
A .werks/13262
M cmk/base/plugins/agent_based/ipmi.py
Log Message:
-----------
13262 FIX Missing failure indicator in IPMI status messages
The IPMI sensor check would result in an OK state when confronted with a status
message like this:
"ok (Presence detected, Predictive failure, Power Supply AC lost)"
This change adds more substrings indicating an error and renders a service with
the above string CRIT.
Change-Id: I495d270762a74b088e8d3cfeda11dc7e851664e1
Compare: https://github.com/tribe29/checkmk/compare/8142dc5c8fe8...f7542ef88a2c