Werk 16011 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: HW/SW Inventory: Fix error while merging inventory and status data tables if one is empty
Class: fix
Compatible: compat
Component: inv
Date: 1702281903
Edition: cre
Level: 1
Version: 2.2.0p17
------------------------------------<diff>-------------------------------------------
Title: HW/SW Inventory: Fix error while merging inventory and status data tables if one is empty
Class: fix
Compatible: compat
Component: inv
Date: 1702281903
Edition: cre
Level: 1
- Version: 2.2.0p18
? ^
+ Version: 2.2.0p17
? ^
Werk 16354 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: nginx_status_2.py: Fix SyntaxError
Class: fix
Compatible: compat
Component: checks
Date: 1701879932
Edition: cre
Level: 1
Version: 2.2.0p17
The Python 2-version of the NGINX agent plugin crashed with a SyntaxError:
C:+
File "nginx_status_2.py", line 132
config: dict = {}
^
SyntaxError: invalid syntax
C:-
------------------------------------<diff>-------------------------------------------
Title: nginx_status_2.py: Fix SyntaxError
Class: fix
Compatible: compat
Component: checks
Date: 1701879932
Edition: cre
Level: 1
- Version: 2.2.0p18
? ^
+ Version: 2.2.0p17
? ^
The Python 2-version of the NGINX agent plugin crashed with a SyntaxError:
C:+
File "nginx_status_2.py", line 132
config: dict = {}
^
SyntaxError: invalid syntax
C:-
Werk 16159 was deleted. The following Werk is no longer relevant.
Title: linux-bonding: introduce check for expected bonding mode
Class: feature
Compatible: incomp
Component: checks
Date: 1698999268
Edition: cre
Level: 1
Version: 2.2.0p17
The service monitoring rule "Linux monitoring service status"
was previously being used for both Linux and OVS. This werk
now splits this rule in two. We now have the following rules.
Bonding interface status
OVS bonding interface status
The reason behind this, is that we have now introduced an
expected mode configuration parameter only for the Linux
rule. So you are now able to select the expected bonding
mode and the state you want to display when this condition
is not met.
Actions:
Case 1: Rule configured for linux
Action: do nothing.
Case 2: Rule configured for OVS
Action: All previously configured rules will now appear as
Linux Bonding interface status rules. Therefore you will
have to delete them and create new "OVS Bonding interface
status" rules.
Werk 15715 was deleted. The following Werk is no longer relevant.
Title: agent_proxmox_ve: Use statically configured IP address if set
Class: fix
Compatible: compat
Component: checks
Date: 1701627600
Edition: cre
Level: 1
Version: 2.2.0p17
The special agent always used the hostname to connect to the Proxmox VE host, even in case the host
address was configured explicitly.
Title: HW/SW Inventory: Fix error while merging inventory and status data tables if one is empty
Class: fix
Compatible: compat
Component: inv
Date: 1702281903
Edition: cre
Level: 1
Version: 2.2.0p18
Title: Privilege escalation in Agent
Class: security
Compatible: compat
Component: checks
Date: 1701938773
Edition: cre
Level: 2
Version: 2.2.0p17
In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk.
Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries.
To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent.
Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation.
We thank Jan-Philipp Litza for reporting this issue.
<b>Affected Versions</b>:
* since 2.2.0p10
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>.
We assigned CVE-2023-31210 to this vulnerability.
<b>Changes</b>:
This Werk changes the library path from the site to the version files, which are only root-writable.
Werk 16033 was deleted. The following Werk is no longer relevant.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.2.0p17
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Werk 16033 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.2.0p17
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
------------------------------------<diff>-------------------------------------------
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
- Version: 2.2.0p16
? ^
+ Version: 2.2.0p17
? ^
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.2.0p16
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.