ID: 6622
Title: Fixed possible open redirect on login page
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
It was possible to redirect an user to external websites through manipulating
GET parameters. To exploit this vulnerability, an attacker needs to trick a
user into following a crafted URL. The attack only works if the user does not
notice that he is redirected to a different URL.
ID: 6619
Title: Fixed missing CSRF protection for master control AJAX calls
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The AJAX calls used by the master control snapin were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
CMK-963
ID: 6620
Title: Fixed missing CSRF protection for site status AJAX calls
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The AJAX calls used by the site status snapin were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
ID: 6618
Title: Fixed missing CSRF protection for host diagnostic AJAX calls
Component: WATO
Level: 1
Class: Security fix
Version: 1.6.0i1
The AJAX calls used by the host diagnostic page were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
ID: 6599
Title: HW/SW Inventory: Only count the real entries
Component: HW/SW Inventory
Level: 1
Class: Bug fix
Version: 1.6.0i1
The active check {{Check_MK HW/SW Inventory}}, the
inventory history and the shell commands <tt>cmk -vi</tt>
and <tt>cmk -vii</tt> show the number of found entries.
This number also includes the amount of nodes. Example:
<tt>Hardware > System > Family: Thinkpad</tt>
gives 3 entries. This may be confusing.
Now only the real entries are counted. Example:
<tt>Hardware > System > Family: Thinkpad</tt>
gives 1 entry.
ID: 6598
Title: HW/SW Inventory: Do not list plugins on commandline for which the related section is empty
Component: HW/SW Inventory
Level: 1
Class: Bug fix
Version: 1.6.0i1
ID: 6596
Title: Do status data inventory: Check "HW/SW Inventory" and shell commands behave the same way
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 1.6.0i1
If <tt>Status data inventory</tt> is enabled in the ruleset
<tt>Do hardware/software Inventory</tt> the active check
<tt>Check_MK HW/SW Inventory</tt> and the shell commands
<tt>cmk -vii</tt> and <tt>cmk -vi</tt> behave the same way.
The same result should also be displayed if <tt>cmk -v</tt>
is executed if <tt>Status data inventory</tt> is enabled.
ID: 6624
Title: Sign all agents: Prevent focussing search field when opening the dialog
Component: agents
Level: 1
Class: Bug fix
Version: 1.6.0i1
When opening the dialog "Sign all agents" there was previously a search field shown which had
the initial focus. A user would expect to have the initial focus on the key pass phrase field
to sign the agent. When the user starts typing the pass phrase without previously changing the
focus, the pass phrase becomes visible on the screen.
To fix this we have now removed the search field from the "Sign all agents" dialog. The pass
phrase field in now initially focused as intended.
ID: 6496
Title: check_mk_agent.linux: Moved piggybacked docker container sections to plugin 'mk_docker_container_piggybacked'
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 1.6.0i1
In order to monitor docker containers the {{check_mk_agent}}
collects the following information of each docker container
as piggyback data:
<ul>
<li>The state, node name, labels and network information</li>
<li>Execution of the {{check_mk_agent}} within running containers</li>
</ul>
Moreover you have to create piggybacked hosts in Check_MK for each docker
container. The piggybacked host name is the docker container ID.
Due to a long running time of these sections they are transferred to the
plugin {{mk_docker_container_piggybacked}} which also can be executed
asynchronously.
That means that these sections were removed from the {{check_mk_agent}}
and you have to install the plugin to the plugins folder on the client.