ID: 5195
Title: Fixed an obscure BI bug related to hard states when using the Nagios core.
Component: Livestatus
Level: 1
Class: Bug fix
Version: 1.5.0i1
Previously, the "service" table was missing a "hard_state" columnm, which
led to a rather obscure bug in BI: When the Nagios core was used and BI was
configured to use hard states and a service was in a non-OK soft state, the
service was effectively ignored by BI. This has been fixed.
ID: 5194
Title: Fixed time zone handling for Stats: columns.
Component: Livestatus
Level: 1
Class: Bug fix
Version: 1.5.0i1
The time zone specified via the Localtime: header was ignored for Stats:
columns, so their returned value was wrong when it was a time-related
column. This has been fixed.
ID: 5193
Title: Fixed authorization handling for Livestatus queries.
Component: Livestatus
Level: 1
Class: Bug fix
Version: 1.5.0i1
Depending on the monitoring core used, several columns did not respect the
AuthUser: header, so more hosts/services/groups were returned than
requested. This has been fixed.
ID: 5432
Title: Network scan: The tag for the "criticality" host tag group can now be configured
Component: WATO
Level: 1
Class: New feature
Version: 1.5.0i1
Before this change all new hosts found by the network scan were added as offline hosts
(Criticality: Do not monitor this host). It is now possible to configure this value
in the properties of the network scan.
ID: 5431
Title: Fixed possible reflected XSS using custom bookmarks
Component: Multisite
Level: 1
Class: Security fix
Version: 1.5.0i1
It was possible to create custom bookmarks by making the user open a
crafted URL. This created a bookmark in the users default bookmark list
which could be used to execute custom javascript code when the user
clicks on the just created link.
For example the user session cookies can be read and reported to the
attackers, who could then hijack the users sessions with the application.
This issue has been fixed by limiting absolute URLs in bookmarks to the
URL schemes <tt>https</tt> and <tt>http</tt>.
ID: 5238
Title: WATO users now only see their configured sites in the Site-DropdownChoice
Component: WATO
Level: 1
Class: Bug fix
Version: 1.5.0i1
A user can be configured only to see/configure a subset of the available sites.
The site dropdown choice, however, always showed all available sites. This has been fixed.
ID: 5409
Title: Windows eventlog: wrong last state saved
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 1.5.0i1
The initial run of Windows agent after fresh installation caused an
incorrect last state to be written in the state file eventstate.txt.
As a result, no new entries were read from the eventlog. Broken since
commit 91797ac9f7d69fc94119c08ea0df4baccaea2b6.
ID: 5429
Title: Fixed broken event history expiration (when using default settings)
Component: Event Console
Level: 2
Class: Bug fix
Version: 1.5.0i1
The Event Console was not deleting outdated entries from the event history.
With the default settings it is intended to delete entries older than 365
days from the EC archive. This did not work.
A message like this can be found each "Housekeeping interval", normaly 1 minute:
[1509618281.352829] Error expiring log files: year out of range
This time window can be configured with the setting "Event history lifetime".
As a workaround you can simply open this setting and save it with the default
value. This will make the event deletion work as expected.
When you are affected, this may result in a way too huge Event Console archive
directory (<tt>~/var/mkeventd/history</tt>) which may result in slow
"Event Console History" views (depends on your filtering). You could clean up
the archive directory by hand to improve the situation.
After applying the update, the next housekeeping run will clean up all your old
archived events.