Title: Protect automation user secret against timing attacks
Class: security
Compatible: compat
Component: wato
Date: 1700216645
Edition: cre
Knowledge: undoc
Level: 1
State: unknown
Version: 2.1.0p37
This Werks improves how the secret of an automation user is validated during login.
Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks.
This is fixed now.
Even though this Werk improves security, it does not address an exploitable vulnerability.
To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
Title: broken autocomplete select fields
Class: fix
Compatible: compat
Component: wato
Date: 1700476403
Edition: cre
Level: 2
Version: 2.2.0p15
When a configuration form page is loaded with lots of selects, it could take
a very long time for the page to load. To gain more performance, the conversion
of select-fields to more user-friendly ones would be skipped whenever the
conversion would have taken longer than 3 seconds.
This lead to the bug that in this situation, autocomplete fields would stop
working completely.
This is fixed with this werk. While regular select fields can still be skipped
to gain page-load performance, autocomplete will never be skipped now.
There are no manual changes necessary by the user for this to take effect.
Title: align quoting of synchronous and asynchronous MRPE
Class: fix
Compatible: incomp
Component: checks
Date: 1700489068
Edition: cre
Level: 1
Version: 2.2.0p15
You are affected by this change if you use asynchronous MRPE and used double
quotes (<tt>"</tt>) in the MRPE command.
Quoting of mrpe commands differed between cached and non cached mrpe checks.
With this Werk the quoting rules for the normal/synchronous execution of MRPE
are applied to asynchronous MRPE commands.
The following can now be applied to both asynchronous and normal/synchronous
execution of MRPE commands: Use single quotes on the first level of quoting.
This command will correctly show <tt>output with spaces</tt> in the Service
output:
<tt>bash -c 'echo "output with spaces"'</tt>
If you execute asynchronous MRPE and the command uses double quotes on the
first level of quoting, adapt it accordingly.
Title: Fix "Metric history" context filter on view edit
Class: fix
Compatible: compat
Component: multisite
Date: 1700552738
Edition: cee
Level: 1
Version: 2.2.0p15
If you edited a view with the context filter "Metric history", the value was
always "Only first 10 sorted results", even if another value was set before.
This was just a problem with the default choice of the dropdown. If you used
the view, the filter should have been worked as expected.
Title: Protect automation user secret against timing attacks
Class: security
Compatible: compat
Component: wato
Date: 1700216645
Edition: cre
Knowledge: undoc
Level: 1
State: unknown
Version: 2.2.0p15
This Werks improves how the secret of an automation user is validated during login.
Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks.
This is fixed now.
Even though this Werk improves security, it does not address an exploitable vulnerability.
To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
Title: oracle_crs_res: TypeError: Resource.__init__() got an unexpected keyword argument 'enabled'
Class: fix
Compatible: compat
Component: checks
Date: 1700145397
Edition: cre
Knowledge: doc
Level: 1
Version: 2.2.0p15
Agent output changed with newer oracle databases, it now includes "enabled"
data. Previous version of this check could not handle this and crashed with
the following error:
<tt>TypeError: Resource.__init__() got an unexpected keyword argument 'enabled'</tt>
oracle_crs_res now ignores all additional data.
Title: Allow CA certificates without key usage restrictions
Class: fix
Compatible: compat
Component: wato
Date: 1700470697
Edition: cre
Level: 1
Version: 2.3.0b1
Prior to this Werk, certificates that did not include the KeyUsage extension were not considered CA certificates by Checkmk, as they lack the keyCertSign bit.
While CAs conforming with RFC 5280 MUST include the extension and set this bit, not all do in practice. Recommendation ITU-T X.509 considers only the basicConstraint "cA" required for CAs.
With this Werk, Checkmk will consider setting the cA basicConstraint but not the KeyUsage extension as valid for CA certificates. Note that certificates that do set the KeyUsage extension but lack the keyCertSign bit may still not be used for certificate signing.
Werk 15210 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: mk_oracle: change host and port to required fields in auth choices
Class: fix
Compatible: compat
Component: wato
Date: 1675686406
Edition: cre
Knowledge: doc
Level: 1
Version: 2.3.0b1
The Oracle plugin allowed the user to configure Login options without
actually configuring any details. This also resulted in the default values
for 'Hostname' or 'TCP-Port for Listener' to be ignored. This werk fixes
this issue.
------------------------------------<diff>-------------------------------------------
Title: mk_oracle: change host and port to required fields in auth choices
Class: fix
Compatible: compat
Component: wato
Date: 1675686406
Edition: cre
Knowledge: doc
Level: 1
- Version: 2.2.0i1
? ^ ^
+ Version: 2.3.0b1
? ^ ^
The Oracle plugin allowed the user to configure Login options without
actually configuring any details. This also resulted in the default values
for 'Hostname' or 'TCP-Port for Listener' to be ignored. This werk fixes
this issue.
-
Werk 15635 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: citrix_state: Fix Crashing Plugins
Class: fix
Compatible: compat
Component: checks
Date: 1687522021
Edition: cre
Knowledge: doc
Level: 1
Version: 2.3.0b1
This is a follow-up to Werk 15623. The following checks were not properly migrated in the 2.2.0
release:
LI: <tt>citrix_state.hosting_server</tt>
LI: <tt>citrix_state.controller</tt>
LI: <tt>citrix_state</tt>
With this Werk, they continue to work as they did in 2.1.0.
------------------------------------<diff>-------------------------------------------
Title: citrix_state: Fix Crashing Plugins
Class: fix
Compatible: compat
Component: checks
Date: 1687522021
Edition: cre
Knowledge: doc
Level: 1
- Version: 2.2.0p5
? ^ ^^
+ Version: 2.3.0b1
? ^ ^^
This is a follow-up to Werk 15623. The following checks were not properly migrated in the 2.2.0
release:
LI: <tt>citrix_state.hosting_server</tt>
LI: <tt>citrix_state.controller</tt>
LI: <tt>citrix_state</tt>
With this Werk, they continue to work as they did in 2.1.0.
-