Branch: refs/heads/2.0.0
Home:
https://github.com/tribe29/checkmk
Commit: 64fb7e6f00bd9830b8c26453711b5c9be63cb7d0
https://github.com/tribe29/checkmk/commit/64fb7e6f00bd9830b8c26453711b5c9be…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-04-14 (Thu, 14 Apr 2022)
Changed paths:
A .werks/13897
M cmk/base/notify.py
Log Message:
-----------
Fix command injection vulnerability
Previously to this Werk an attacker who could control certain notification
variables such as <tt>NOTIFICATIONTYPE</tt> or <tt>HOSTNAME</tt>
was able to
inject commands to the fall-back mail command. The commands were then executed
as site user.
With this werk the variable <tt>MAIL_COMMAND</tt> is no longer available
in notification scripts.
You can reduce the risk of exploitation with disabling the listening of the
notification spooler (the default is disabled) (CEE/CME only feature).
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable.
To detect possible exploitation <tt>var/log/mknotifyd.log</tt> and
<tt>var/log/notify.log</tt> can be checked for special shell characters like
<tt>&&</tt> and odd quoting.
CMK-8780
Change-Id: I98236d1aa7854773862aee6fedcd669b09ba5fc0
Commit: 3e00e603e098801308444c0add7e6b2b3c5f7c0e
https://github.com/tribe29/checkmk/commit/3e00e603e098801308444c0add7e6b2b3…
Author: Sergey Kipnis <sergey.kipnis(a)tribe29.com>
Date: 2022-04-14 (Thu, 14 Apr 2022)
Changed paths:
M Makefile
M agents/wnx/clean_artefacts.cmd
M buildscripts/scripts/build-cmk-version.jenkins
M buildscripts/scripts/lib/windows.groovy
M scripts/fake-windows-artifacts
Log Message:
-----------
Rename MSI from `no_sign` to `unsigned`
Change-Id: I6f4e56fe6893329df3414e864ea2119aee1fb0a1
Compare:
https://github.com/tribe29/checkmk/compare/37d591be6e82...3e00e603e098