[//]: # (werk v2)
# Test notifications: Fix simulation of "Start of downtime"
key | value
---------- | ---
date | 2024-09-17T05:19:13+00:00
version | 2.4.0b1
class | fix
edition | cre
component | notifications
level | 1
compatible | yes
If you used the simulation method "Start of downtime", the test did not match
any rule with event type option "Start or end of a scheduled downtime".
This has been fixed.
Werk 16251 was deleted. The following Werk is no longer relevant.
[//]: # (werk v2)
# Update monitoring-plugins to 2.4.0
key | value
---------- | ---
date | 2024-09-04T14:11:06+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | yes
[//]: # (werk v2)
# ldap: you can't create a new connection with an existing suffix
key | value
---------- | ---
date | 2024-09-12T05:38:52+00:00
version | 2.4.0b1
class | fix
edition | cre
component | rest-api
level | 1
compatible | no
Via the REST-API is was previously possible to create more than
one ldap connection that had the same suffix. This was incorrect
and doesn't match the behaviour of the UI. This werk addresses
this issue by no longer allowing the same suffix on more than
one ldap connection.
[//]: # (werk v2)
# mysql_replica_slave: Adapt mk_mysql for MySQL version 8.0.22 and above
key | value
---------- | ---
date | 2024-09-10T12:46:28+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | yes
From MySQL 8.0.22, SHOW SLAVE STATUS is deprecated and the alias SHOW REPLICA STATUS should be used instead.
The statement works in the same way as before, only the terminology used for the statement and its output has changed.
For the sake of compatibility, the service name will stay the same 'MySQL Slave'.
There is no user intervention required.
Title: Fix XSS on SAML login screen
Class: security
Compatible: compat
Component: wato
Date: 1725549833
Edition: cee
Level: 1
Version: 2.2.0p34
Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error box on the SAML login page.
This could facilitate phishing attacks by tricking users into clicking malicious links.
Links in the error message are now escaped and no longer clickable.
This issue was identified during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.1 Medium (<code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</code>) and assigned <code>CVE-2024-38860</code>.
[//]: # (werk v2)
# Fix XSS on SAML login screen
key | value
---------- | ---
date | 2024-09-05T15:23:53+00:00
version | 2.3.0p16
class | security
edition | cee
component | wato
level | 1
compatible | yes
Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error box on the SAML login page.
This could facilitate phishing attacks by tricking users into clicking malicious links.
Links in the error message are now escaped and no longer clickable.
This issue was identified during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N`) and assigned `CVE-2024-38860`.