ID: 14293
Title: Enforce use of new apache hooks before updating to 2.2
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0i1
With #14281 a new system apache configuration hook for managing the system
apache reverse proxy config has been introduced.
In all previous versions the transition was highly recommended for security
reasons, but not enforced to stay compatible. As of Checkmk 2.2 the new
mechanism will be enforced.
If you try to update an existing site to 2.2 which has not been switched to the
new mechanism with <tt>omd update-apache-config [SITE]</tt>, then the update
will be aborted.
ID: 14743
Title: Fix sorting by folder on ruleset pages
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
The rules on ruleset pages were always sorted by folder ID.
If the folder was renamed this could lead to a wrong sorting order.
Now the title path is used.
ID: 14696
Title: azure_load_balancer: Monitor Azure Load Balancer
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
It's now possible to monitor Azure Load Balancer in Checkmk.
Three new checks have been added:
<ul>
<li>Microsoft Azure Load Balancer: Byte Count</li>
<li>Microsoft Azure Load Balancer: Health</li>
<li>Microsoft Azure Load Balancer: SNAT Consumption</li>
</ul>
The new services will be automatically discovered if you have
an Azure Load Balancer in the resource group already monitored
in Checkmk.
ID: 14736
Title: Agent Bakery: Show correct signed status if not baking for all platforms
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
When narrowing down target platforms with the "Agent bakery packages" rule,
the signed status (key icon) at the agent bakery GUI previously showed a
"partially signed" state even if all selected packages have been signed correctly.
ID: 14750
Title: Fix role ID in user menu
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
If a role was copied, the name of the source role was shown in the user menu
for the logged in user.
ID: 14293
Title: Enforce use of new apache hooks before updating to 2.2
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0i1
With #14281 a new system apache configuration hook for managing the system
apache reverse proxy config has been introduced.
In all previous versions the transition was highly recommended for security
reasons, but not enforced to stay compatible. As of Checkmk 2.2 the new
mechanism will be enforced.
If you try to update an existing site to 2.2 which has not been switched to the
new mechanism with <tt>omd update-apache-config [SITE]</tt>, then the update
will be aborted.
ID: 14485
Title: Fix session cookie validation on RestAPI
Component: REST API
Level: 1
Class: Security fix
Version: 2.2.0i1
Before this Werk expired sessions were still valid on the RestAPI, since the
RestAPI only vaildated the Cookie signature.
An attacker who was able to steal a session cookie could use that cookie on the
RestAPI even after the session expired. Some actions though require access to
the user session, these action fail due to the expired session. Some actions do
not access the session and are therefore possible.
<b>Affected Versions</b>:
All versions with the RestAPI are affected: 2.0, and 2.1.
<b>Mitigations</b>:
Immediate mitigations are not available.
<b>Indicators of Compromise</b>:
Review Apache and web.log for suspicious logs.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 5.6 (Medium) with the following
CVSS vector:
<tt>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L</tt>.
A CVE has been requested.
ID: 14763
Title: domino_tasks: state becomes UNKNOWN instead of STALE when data is missing
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The check "domino_tasks" shows state UNKNOWN along with the message "Item not
found in monitoring data", even though there is no data available for this
check. The check now becomes STALE when no data is available.
ID: 14556
Title: mk_postgres: support Latin-1 server encoding
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously, any Postgresgl server with encoding Latin-1 would be rejected by the agent
<tt>mk_postgres.py<\tt>. This is because some of the SQL queries sent by the agent contained utf-8
only characters. With this werk, the agent supports Latin-1 encoding.
ID: 14749
Title: Fix TypeError on export of graph collections as PDF
Component: Reporting & Availability
Level: 1
Class: Bug fix
Version: 2.2.0i1
If you exported a graph collection via "Export" - "This collection as PDF", the error "TypeError: string indices must be integers" occurred.