Branch: refs/heads/master
Home:
https://github.com/tribe29/checkmk
Commit: de6abeb2ba93533988243302444f1cc7b56f8f4e
https://github.com/tribe29/checkmk/commit/de6abeb2ba93533988243302444f1cc7b…
Author: m3rlinux <m3rlinux.it(a)gmail.com>
Date: 2022-11-08 (Tue, 08 Nov 2022)
Changed paths:
A .werks/14818
M checks/ceph_status
Log Message:
-----------
14818 FIX Ceph OSDs checkplugin now uses the warning threshold
The Chep OSDs check plugin ignored the warning thresholds for OSDs out and OSDs down.
This has beed fixed now.
Change-Id: Id025ab27f56dfdb1d74314c04cfdce829812bf56
closes: #543
Commit: 97a88546da58d523492ceecc5d9270d5e1b311fe
https://github.com/tribe29/checkmk/commit/97a88546da58d523492ceecc5d9270d5e…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-08 (Tue, 08 Nov 2022)
Changed paths:
M tests/unit/cmk/gui/test_userdb.py
M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py
Log Message:
-----------
Remove unnecessary fixtures
The fixture is already auto-applied in conftest
Change-Id: I6adb4bbcd9e43d59420038ac1f44bc26097a7deb
Commit: 61547565a20dbc351e27b646935ff81c7742b6f5
https://github.com/tribe29/checkmk/commit/61547565a20dbc351e27b646935ff81c7…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-08 (Tue, 08 Nov 2022)
Changed paths:
A .werks/14390
M cmk/gui/userdb/htpasswd.py
M cmk/utils/crypto/password_hashing.py
M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py
M tests/unit/cmk/utils/crypto/test_password_hashing.py
Log Message:
-----------
14390 Automatically update deprectated password hashes
Deprecated hashes of user passwords stored in the htpasswd file will now
be automatically updated to a more modern hash format when the
respective user logs in. Specifically, password hashes created with the
sha256-crypt algorithm will be udpated to bcrypt hashes.
sha256-crypt hashes are still considered secure for password hashing.
However, we want to migrate all users' password hashes to the more
modern bcrypt algorithm. For users whose passwords are hashed with
sha256-crypt we can do so automatically in the background when they
authenticate successfully.
Older and less secure password hashes, such as MD5, are not updated
automatically.
CMK-11528
Change-Id: I53f65fc539a10bef38aba0a677fbfc8c3b07420e
Commit: fcf6b3f055315be5d6c53ed099b44cc94e553042
https://github.com/tribe29/checkmk/commit/fcf6b3f055315be5d6c53ed099b44cc94…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-08 (Tue, 08 Nov 2022)
Changed paths:
A .werks/14391
M cmk/utils/crypto/password_hashing.py
M tests/unit/cmk/utils/crypto/test_password_hashing.py
Log Message:
-----------
14391 SEC Require password change for old password hashes
Local users whose passwords are hashed with insecure hash functions in
the htpasswd file will be required to change their passwords on their
next login.
Users that authenticate via other mechanisms, such as LDAP, are not
affected by this.
Starting from version 2.2, Checkmk will no longer support validating
password hashes of deprecated and insecure hash algorithms. In order to
avoid situations where users are unable to log in (and require manually
resetting their password by an administrator), users whose passwords are
currently hashed with any of the affected hash algorithms will be
required to set a new password.
A warning message including all affected usernames will be displayed to
the administrator running the `omd update` command. You can use this
list to contact these users and selectively inform them that they will
be required to change their password during their next UI login. In case
they do not change their password before Checkmk is upgraded to version
2.2, these users will not be able to log in anymore after the upgrade
and an administrator will have to reset the password.
The following hash algorithms that are currently still supported are
affected: des-crypt, MD5-crypt, Apr MD5-crypt. Passwords hashed with
sha256-crypt will not require resetting the password but will be updated
automatically on the user's next login (see Werk #14390).
New passwords will be hashed with bcrypt.
Should you wish to manually change a user's password via the CLI, please
be aware of the newly introduced `cmk-passwd` utility (see Werk #14389).
Even though this Werk is related to security, it does not fix any
exploitable issue. Hence, we assign a CVSS score of 0 (None)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
CMK-11529, CMK-11530
Change-Id: Ic14a9ffb5bb91cfbb3ac27ae62efdcd4a7db9b81
Compare:
https://github.com/tribe29/checkmk/compare/d9098953e62d...fcf6b3f05531