ID: 0991
Title: Availability: optionally show time stamps as UNIX epoch time
Component: Reporting & Availability
Level: 1
Class: Bug Fix
Version: 1.2.5i5
This makes it easier to compare availability timeline with actual log files.
ID: 0990
Title: Fix HTTP error handling in bulk inventory
Component: WATO
Level: 1
Class: Bug Fix
Version: 1.2.5i5
If during a bulk inventory some HTTP error occurs (e.g. due to an Apache
restart) then now the failed hosts are exactly being displayed and the
number of failed hosts is correct.
ID: 0989
Title: logwatch.ec: Fix forwarding multiple messages via syslog/TCP
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.5i5
If you setup forwarding to the Event Console in the {logwatch.ec} check to
be done via TCP and more than one new message per check interval arrived,
then several messages could have be joined together into one single message.
The reason was a missing newline character. This has been fixed. Forwarding
via UDP was …
[View More]not affected by this bug.
[View Less]
ID: 0988
Title: livedump: Fix exception in case no contact groups are defined for a service
Component: Livestatus
Level: 1
Class: Bug Fix
Version: 1.2.5i5
ID: 0942
Title: check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX
Component: Multisite
Level: 1
Class: Bug Fix
Version: 1.2.5i4
This change makes pnpgraphs with greater timeframes consistent
ID: 0941
Title: esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes
Component: Multisite
Level: 1
Class: Bug Fix
Version: 1.2.5i4
Affected pnptemplates are: check_mk-enterasys_cpu_util, check_mk-esx_vsphere_hostsystem.cpu_usage, check_mk-innovaphone_cpu
ID: 0984
Title: Fix code injection for logged in users via automation url
Component: WATO
Level: 2
Class: Incompatible Change
Version: 1.2.5i4
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
<i>The check_mk applications uses insecure API calls, which allow an attacker
to execute arbitrary code on the server by issuing just a single URL. The
reason for this is the usage of the insecure "pickle" API call. Apparently
this was modified as a …
[View More]security means from a former version, which used
"eval"-like structures with untrusted input data. Anyhow, as the python API
documentation clearly state, "pickle" should be considered unsafe as well,
see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately
this module is not available on Centos/RedHat 5.X and Debian 5. On these
systems WATO still uses <tt>pickle</tt>, even with this fix.
<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.
[View Less]
ID: 0983
Title: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i4
The fixed weakness was:
The check_mk application does allow an attacker to write check_mk config files
(.mk files) on arbitrary locations on the server filesystem.
ID: 0982
Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i4
This fixes the following issue:
The check_mk application is susceptible to reflected XSS attacks. This is
mainly the result of inproper output encoding. Reflected XSS can be triggered
by sending a malicious URL to a user of the check_mk application. Once the
XSS attack is triggered, the attacker has access …
[View More]to the full check_mk (and
nagios) application with the access rights of the logged in victim.
The fix applies to the function:
htmllib.py: render_status_icons()
actions.py: ajax_action()
[View Less]