Branch: refs/heads/2.1.0
Home:
https://github.com/tribe29/checkmk
Commit: b7b227223c633755c440a7beba0ad8b6514397c6
https://github.com/tribe29/checkmk/commit/b7b227223c633755c440a7beba0ad8b65…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-05-02 (Tue, 02 May 2023)
Changed paths:
A .werks/15189
M cmk/base/diagnostics.py
Log Message:
-----------
15189 SEC Don't log automation user credentials when generating performance graph
diagnostics
Prior to this Werk, creating a Support Diagnostic report including the
option "Performance Graphs of Checkmk Server" caused the automation
secret of the user "automation" to be logged to the site Apache access
log file (var/log/apache/access_log). This affected both creating the
diagnostic report via the GUI (Setup > Maintenance > Support diagnostics)
and via the command line
(cmk --create-diagnostics-dump --performance-graphs).
With this Werk the credentials are no longer written to the log file.
Note that no automatic sanitization of the log file is attempted by
applying this patch.
This issue was discovered during internal review.
Affected Versions:
- 2.2.0 (beta)
- 2.1.0
- 2.0.0
Mitigations:
Users are advised to change the secret of the user "automation" via the
User Management UI.
If this is not an option for you, delete or manually sanitize the Apache
access log file and any backup of the file. Remove any line that
contains a POST to
<your site URL>/report.py?_username=automation&_secret=<...>.
Refrain from using the affected functionality before applying this patch
or manually sanitize the file afterwards.
Vulnerability Management:
We have rated the issue with a CVSS Score of 4.4 (Medium) with the
following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</tt>.
We have assigned CVE-2023-31207.
Change-Id: I5b903fb3c1d186219f7718acf3d6efa498e9f5cf
Commit: d00dbe64b3174bd6da83b72b53a0dc33cf4d3a38
https://github.com/tribe29/checkmk/commit/d00dbe64b3174bd6da83b72b53a0dc33c…
Author: Ronny Bruska <ronny.bruska(a)checkmk.com>
Date: 2023-05-02 (Tue, 02 May 2023)
Changed paths:
R .werks/15480
M cmk/gui/wato/pages/rulesets.py
Log Message:
-----------
Revert "15480 FIX Do not show rules of folders the user has no permission
for"
This reverts commit 83ef3f4c3b15df713e1c43671af62626884bac3b.
Reason for revert: not needed
Change-Id: I54ac5decc6b2cab8e74ee280e8809160fbd66703
Commit: 0e294f9407875a07cc29d7b45df5ced88d00b034
https://github.com/tribe29/checkmk/commit/0e294f9407875a07cc29d7b45df5ced88…
Author: Ronny Bruska <ronny.bruska(a)checkmk.com>
Date: 2023-05-02 (Tue, 02 May 2023)
Changed paths:
M cmk/gui/wato/pages/rulesets.py
Log Message:
-----------
Revert "Do not allow to view rules without permission via url"
This reverts commit 48dcf08ab7730182d59b74a93476260981a6b394.
Reason for revert: not needed
Change-Id: I735d87e6f5db65ee98e3f852dc56b19152ead70c
Compare:
https://github.com/tribe29/checkmk/compare/a00911841ee9...0e294f940787