Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 2e8cf315be262df7a749c55f205ff21f895a84db
https://github.com/tribe29/checkmk/commit/2e8cf315be262df7a749c55f205ff21f8…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-09-01 (Thu, 01 Sep 2022)
Changed paths:
A .werks/14384
M livestatus/api/python/livestatus.py
M tests/unit/livestatus/test_livestatus_unit.py
Log Message:
-----------
14384 SEC Fix command injection in livestatus query headers
Prior to this Werk it was possible to inject livestatus commands in
Checkmk's livestatus wrapper and python API. Attackers could add
additional commands in the AuthUser query header using newline
characters. This allowed running arbitrary livestatus commands,
including external commands to the core.
The issue could only be exploited by attackers from localhost, where the
tampered header could be injected in a request to graph data.
We thank Stefan Schiller (SonarSource) for reporting this issue.
<b>Affected Versions</b>: All currently supported versions are affected:
1.6, 2.0, and 2.1.
<b>Mitigations</b>: Immediate mitigations are not available.
<b>Indicators of Compromise</b>: Review the logs of Nagios / CMC for
suspicious commands.
<b>Vulnerability Management</b>: We have rated the issue with a CVSS
Score of 6.8 (Medium) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L</tt>. A CVE has been
requested.
<b>Changes</b>: This Werk adds sanitization for the AuthUser header
field.
CMK-11203
Change-Id: Ie34b324ab57e84df03fd0ecbf54d22804d101723
Branch: refs/heads/2.0.0
Home: https://github.com/tribe29/checkmk
Commit: 913fadf303119077982ea53183a345add5dec3d1
https://github.com/tribe29/checkmk/commit/913fadf303119077982ea53183a345add…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-09-01 (Thu, 01 Sep 2022)
Changed paths:
A .werks/14384
M livestatus/api/python/livestatus.py
M tests/unit/livestatus/test_livestatus_unit.py
Log Message:
-----------
14384 SEC Fix command injection in livestatus query headers
Prior to this Werk it was possible to inject livestatus commands in
Checkmk's livestatus wrapper and python API. Attackers could add
additional commands in the AuthUser query header using newline
characters. This allowed running arbitrary livestatus commands,
including external commands to the core.
The issue could only be exploited by attackers from localhost, where the
tampered header could be injected in a request to graph data.
We thank Stefan Schiller (SonarSource) for reporting this issue.
<b>Affected Versions</b>: All currently supported versions are affected:
1.6, 2.0, and 2.1.
<b>Mitigations</b>: Immediate mitigations are not available.
<b>Indicators of Compromise</b>: Review the logs of Nagios / CMC for
suspicious commands.
<b>Vulnerability Management</b>: We have rated the issue with a CVSS
Score of 6.8 (Medium) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L</tt>. A CVE has been
requested.
<b>Changes</b>: This Werk adds sanitization for the AuthUser header
field.
CMK-11203
Change-Id: Ie34b324ab57e84df03fd0ecbf54d22804d101723
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: c677648a7765572098d5e4a9d7f881728d11eeca
https://github.com/tribe29/checkmk/commit/c677648a7765572098d5e4a9d7f881728…
Author: Lisa Pichler <lisa.pichler(a)tribe29.com>
Date: 2022-09-01 (Thu, 01 Sep 2022)
Changed paths:
A .werks/14500
A agents/cfg_examples/lnx_container_host_if.cfg
A agents/plugins/lnx_container_host_if.linux
M cmk/base/plugins/agent_based/lnx_if.py
A cmk/base/plugins/agent_based/section_lnx_container_host_if.py
A cmk/base/plugins/agent_based/utils/lnx_if.py
A tests/unit/cmk/base/plugins/agent_based/test_section_lnx_container_host_if.py
Log Message:
-----------
14500 lnx_container_host_if: new agent and section plugin for network interfaces
CMK-10146
Change-Id: Ib29d859a727d4b8f7737cbf7054198a7ff7c592f
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 93d6042a4205f348e1a36a0c37ef3f91d5bfead9
https://github.com/tribe29/checkmk/commit/93d6042a4205f348e1a36a0c37ef3f91d…
Author: Konstantin Baikov <konstantin.baikov(a)tribe29.com>
Date: 2022-09-01 (Thu, 01 Sep 2022)
Changed paths:
M cmk/ec/main.py
Log Message:
-----------
Simplify some code in EC main
Fixes complains from flake8-simplify plugin
Change-Id: If3699b1df6f0a2dd7cb072d7edd401ccea67983a
Commit: ae53511eaaf76449fb24c2ab02e050e16fc6069d
https://github.com/tribe29/checkmk/commit/ae53511eaaf76449fb24c2ab02e050e16…
Author: Konstantin Baikov <konstantin.baikov(a)tribe29.com>
Date: 2022-09-01 (Thu, 01 Sep 2022)
Changed paths:
M cmk/ec/main.py
Log Message:
-----------
Remove percent formatting in EC main
- normal strings become f-strings
- in logging methods percent is not needed
as the params should be *args for optimization
Change-Id: I18f74cb6c8b3c3da79f0f197b06f2ed5578b7e02
Compare: https://github.com/tribe29/checkmk/compare/eda65714563b...ae53511eaaf7
Branch: refs/heads/2.0.0
Home: https://github.com/tribe29/checkmk
Commit: 0562e9712b85da7375ad8bbbed58d797e7236e20
https://github.com/tribe29/checkmk/commit/0562e9712b85da7375ad8bbbed58d797e…
Author: Alex Zurhake <alex.zurhake(a)tribe29.com>
Date: 2022-09-01 (Thu, 01 Sep 2022)
Changed paths:
M buildscripts/scripts/build-cmk-version.jenkins
M buildscripts/scripts/lib/upload_artifacts.groovy
Log Message:
-----------
Fix missing HASHES file
Everytime something is uploaded a HASHES file is created to make sure, it cannot be forgotten.
Change-Id: Ifdf45ff10afbd0e34c03781b53a9d1f8956da351
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: 774c973682123ff4a8bac4868022d90cf745f2d0
https://github.com/tribe29/checkmk/commit/774c973682123ff4a8bac4868022d90cf…
Author: Alex Zurhake <alex.zurhake(a)tribe29.com>
Date: 2022-09-01 (Thu, 01 Sep 2022)
Changed paths:
M buildscripts/scripts/build-cmk-version.jenkins
M buildscripts/scripts/lib/upload_artifacts.groovy
Log Message:
-----------
Fix missing HASHES file
Everytime something is uploaded a HASHES file is created to make sure, it cannot be forgotten.
Change-Id: Ifdf45ff10afbd0e34c03781b53a9d1f8956da351