ID: 3802
Title: Fixed excess Check Helper PIPEs when a datasource program runs into a timeout
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.4.0i1
A timeout during the execution of a datasource program could cause
leftover stderr/stderr pipes for the Check_MK Helper process.
ID: 3856
Title: Improved handling of Check_MK GUI request timeouts
Component: Multisite
Level: 1
Class: New Feature
Version: 1.4.0i1
In previous Check_MK versions, there was no real user friendly and correct
handling of too long web request processing. So if a user issued a request
to the Multisite GUI which took longer than the system apache request timeout,
it resulted in a default webserver error page showing a "proxy timeout" error
message.
Another issue: The timeout was dependent on your system apache configuration
and, if you did not change the settings on your own, on the Linux distribution
defaults.
We have now changed the timeout mechanism as follows:
The system apache process will end the communication with the client after
the timeout configured for the proxy connection from system apache to site
apache. This is done in /omd/sites/[site]/etc/apache/proxy-port.conf file
in the "timeout=x" parameter of the ProxyPass statement. The client timeout
has been configured to 120 seconds.
The application (Check_MK GUI) request timeout should always be lower than
the client timeout to make it possible to abort the page processing and send
a helpful response page to the client. The default timeout is set to 110
seconds.
Developer note:
It is possible to disable the applications request timeout (temoporarily)
or totally for specific calls, but the timeout to the client will always
be applied by the system webserver. So the client will always get a error
page while the site apache continues processing the request (until the
first try to write anything to the client) which will result in an
exception.
ID: 3855
Title: Fixed possible command injection by privileged WATO users
Component: WATO
Level: 2
Class: Security Fix
Version: 1.4.0i1
In all previous 1.2.8 versions authenticated and privileged WATO users,
the ones which are able to add or edit hosts, were able to inject shell
commands to Check_MK which are then executed in the context of the monitoring
site user.
The user was able to configure a host address in a specific format to inject
such shell commands to the configuration. Once the configuration was activated
and loaded into the monitoring core, the command was executed in context of
the monitoring site user in the moment a parent scan was started for that host.
Thanks for analyzing and reporting this issue to Christian Fünfhaus!
ID: 3837
Title: Fixed empty check if lnx_if info contains additional line
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.4.0i1
The output of lnx_if check has been empty if the interface provides an additional line
provided by CDP (Cisco Discovery Protocol). This is fixed now but not further handled
at the moment and may be a feature in the future.
ID: 3854
Title: juniper_bgp_state: Fixed service descriptions in some cases
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.4.0i1
At least for some devices Juniper M120 router, Juniper SRX240H-DC
and Juniper MX80-48T the service descriptions were computed wrong
(containing more numbers than the IP address of the peer).
ID: 3872
Title: mcafee_webgateway, mcafee_webgateway_misc: new checks which monitor some statistics of McAfee web gatway devices
Component: Checks & Agents
Level: 1
Class: New Feature
Version: 1.4.0i1