ID: 15006
Title: Fix possible error on view "Crash reports"
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
In systems which created a lot of crash reports, an error like "No matching
entries found for query: Get crashreports" could be shown if a user tries to
open the view "Crash reports".
ID: 14568
Title: Prometheus: incorrect metrics in Memory service
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously, the Prometheus integration incorrectly reported <tt>Anonymous pages</tt> instead of
reporting <tt>Mapped data</tt> and <tt>Active (anonymous)</tt>. Moreover, <tt>Active</tt> was
reported in place of <tt>Active (files)</tt>. With this werk, the correct values are displayed.
ID: 15047
Title: graylog_sources: Added support for a specific timeframe for the messages to be checked in
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
Added support for a new argument to be set when configuring the graylog special agent.
The argument is "source_since" and allows to set a specific timeframe in which the total number of messages should be checked.
If the argument is not set, the behaviour of the check will stay the same as previously.
If the argument is set, instead of providing the information about the number of new messages in a specific timeframe, now the total number of messages in a specific timeframe will be provided.
ID: 14961
Title: MRPE: Deprecate add_age flag
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously, there was an option to decide whether the cache age (in case of activated caching) of
an MRPE check should be displayed at the corresponding service. This could be specified either at
the "Execute MRPE checks" agent ruleset, or directly at the <tt>mrpe.cfg</tt> file (UNIX) or
<tt>check_mk.user.yml</tt> file.
This option turned out to be of limited use, as there's no advantage in not including the cache age
information to the service. Hence, the new behavior is to always include the cache age information.
While this option has been inactive for a while (and never has been active for Windows), it's now
officially removed from the config format. Old agent rulesets will be migrated automatically; manually
specified checks will continue to work, but the <tt>appendage</tt>/<tt>add_age</tt> flags will be ignored
without further notice.
ID: 15062
Title: Set umask to 0077 for site user
Component: Core & setup
Level: 1
Class: New feature
Version: 2.2.0i1
With this Werk we set the umask for the site user to 0077.
So by default newly created files and directories are not world or group accessible.
Files which need to be accessible from other users and groups have explicitly set permissions.
ID: 14924
Title: Fix CSRF in add-visual endpoint
Component: Setup
Level: 1
Class: Security fix
Version: 2.2.0i1
Previously to this Werk an attacker could utilize a cross site request forgery vulnerability in Checkmk to add elements to visuals (e.g. dashboards, reports, etc.).
<b>Mitigations:</b>
If you are unable to update in a timely manner you could remove the permission <tt>Customize dashboards and use them</tt> and <tt>Customize reports and use them</tt> from the used roles. So the users and admins cannot edit dashboards and reports anymore.
Adding a <tt>Custom url</tt> with a malicious URL is blocked by the Content-Security-Policy.
All versions of Checkmk including (1.6) are subject to this vulnerability.
This vulnerability was found through a self commissioned Penetration test.
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L</tt> A CVE has been requested.
ID: 15005
Title: Fix possible KeyError on service graphs view
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
If a user had no permission "Services - Service (service)" and tried to open
the view "Service graphs" (service_graphs) an error like "KeyError (service)"
occurred.
ID: 14704
Title: mk_mysql: Support for multiple sockets and aliases
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Until now, the mk_mysql agent plugin could handle multiple sockets,
but without the possibility to specify one alias per socket.
Specifying multiple sockets and one alias for the whole instance would
lead to missing services in the discovery.
The option to configure multiple sockets was missing from the bakery.
Now, the mk_mysql agent plugin can handle multiple socket-alias pairs
which can be configured through the bakery.
The configuration example mysql.cfg has been added to Setup > Agents >
Other operating systems > Example Configurations.
ID: 13970
Title: Showing the config of an agent will no longer fail with a Permission Mismatch
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
Calling the "/objects/agent/" endpoint would always fail with a Permission Mismatch.
This is no longer the case.
ID: 13969
Title: ETag for root folder is not correctly generated
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
The ETag header for the root folder has been generated incorrectly, making it impossible to edit it through the REST API.
This is no longer the case.