Werk 17148 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Persist known host keys for checks that use SSH
key | value
---------- | ---
date | 2024-08-26T08:56:04+00:00
version | 2.3.0p15
class | security
edition | cre
component | checks
level | 1
compatible | yes
When using the special agent *VNX quotas and filesystems* or the active check *Check SFTP Service* the host keys were not properly checked.
If an attacker would get into a machine-in-the-middle position he could intercept the connection and retrieve information e.g. passwords.
As of this Werk the host key check is properly done.
In order to store known host keys a regular `known_hosts` file is used that is stored in `/omd/sites/$SITENAME/.ssh/known_hosts`.
If a host key changes an error is now raised that requires manual edit of this file.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 6.3 Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N and assigned CVE-2024-6572.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Persist known host keys for checks that use SSH
key | value
---------- | ---
date | 2024-08-26T08:56:04+00:00
- version | 2.3.0p14
? ^
+ version | 2.3.0p15
? ^
class | security
edition | cre
component | checks
level | 1
compatible | yes
When using the special agent *VNX quotas and filesystems* or the active check *Check SFTP Service* the host keys were not properly checked.
If an attacker would get into a machine-in-the-middle position he could intercept the connection and retrieve information e.g. passwords.
As of this Werk the host key check is properly done.
In order to store known host keys a regular `known_hosts` file is used that is stored in `/omd/sites/$SITENAME/.ssh/known_hosts`.
If a host key changes an error is now raised that requires manual edit of this file.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 6.3 Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N and assigned CVE-2024-6572.
Werk 17266 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# REST-API: Include links for get hosts by default
key | value
---------- | ---
date | 2024-09-03T13:16:41+00:00
version | 2.4.0b1
class | fix
edition | cre
component | rest-api
level | 1
compatible | no
[Werk #16756](https://checkmk.com/werk/16756) introduced the `include_links`
flag to the `Show all hosts` endpoint
(`GET .../domain-types/host_config/collections/all`). The flag was disabled
by default.
This werk changes the default to enabled again. As this comes with a
performance impact, it is recommended to disable it explicitly, if links are not
needed.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# REST-API: Include links for get hosts by default
key | value
---------- | ---
date | 2024-09-03T13:16:41+00:00
version | 2.4.0b1
class | fix
edition | cre
component | rest-api
level | 1
compatible | no
- [Werk #16756](https://werks.checkmk.com/16756) introduced the `include_links`
? ------
+ [Werk #16756](https://checkmk.com/werk/16756) introduced the `include_links`
? +++++
flag to the `Show all hosts` endpoint
(`GET .../domain-types/host_config/collections/all`). The flag was disabled
by default.
This werk changes the default to enabled again. As this comes with a
performance impact, it is recommended to disable it explicitly, if links are not
needed.
[//]: # (werk v2)
# REST-API: Introduce include_links and include_extensions to list endpoints
key | value
---------- | ---
date | 2024-09-03T13:25:46+00:00
version | 2.4.0b1
class | feature
edition | cre
component | rest-api
level | 1
compatible | yes
This Werk introduces two flags to most list endpoints.
The first flag `include_links` was already present for list host configs. It
controls whether the links of the individual values should be included.
This flag is enabled by default.
The second flag `include_extensions` toggles the inclusion of the extensions,
which contain most of the attributes. This flag is also enabled by default.
Both of these flags give users options to improve performance and reduce
response sizes.
[//]: # (werk v2)
# REST-API: Include links for get hosts by default
key | value
---------- | ---
date | 2024-09-03T13:16:41+00:00
version | 2.4.0b1
class | fix
edition | cre
component | rest-api
level | 1
compatible | no
[Werk #16756](https://werks.checkmk.com/16756) introduced the `include_links`
flag to the `Show all hosts` endpoint
(`GET .../domain-types/host_config/collections/all`). The flag was disabled
by default.
This werk changes the default to enabled again. As this comes with a
performance impact, it is recommended to disable it explicitly, if links are not
needed.
Werk 17026 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix XSS in view page with SLA column
Class: security
Compatible: compat
Component: wato
Date: 1723724113
Edition: cee
Level: 1
Version: 2.1.0p48
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Indicators of Compromise</strong>:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: <code>CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N</code>, and assigned <code>CVE-2024-38859</code>.
------------------------------------<diff>-------------------------------------------
Title: Fix XSS in view page with SLA column
Class: security
Compatible: compat
Component: wato
Date: 1723724113
Edition: cee
Level: 1
- Version: 2.1.0p47
? ^
+ Version: 2.1.0p48
? ^
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Indicators of Compromise</strong>:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: <code>CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N</code>, and assigned <code>CVE-2024-38859</code>.
Title: agent_kube: requests.SSLError raised on connection using self signed certificates
Class: fix
Compatible: compat
Component: checks
Date: 1725278477
Edition: cre
Level: 1
Version: 2.2.0p33
Newer versions of `requests` don't take `REQUESTS_CA_BUNDLE` into account, resulting in
```
requests.exceptions.SSLError: \
HTTPSConnectionPool(host='<collector>', port=443): \
Max retries exceeded with url: \
/metadata (Caused by SSLError( \
SSLCertVerificationError(1, \
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: \
self signed certificate in certificate chain (_ssl.c:1006)')))
```
being raised if running `agent_kube` against instances using self signed certificates.
This change invokes `session.merge_environment_settings()` to take `REQUESTS_CA_BUNDLE` into
account again.
See
[GitHub: 2807: Use merge_environment_settings method in sessions.send method](https://github.com/psf/requests/issues/2807)
and
[GitHub: 3626: HTTP Proxy with prepared request (honouring env. var.)](https://github.com/psf/requests/issues/3626)
Title: HTML Email: Handle SMTP return code 554 as permanent error
Class: fix
Compatible: compat
Component: notifications
Date: 1725281302
Edition: cre
Level: 1
Version: 2.2.0p33
If you used "Enable synchronous delivery via SMTP" the return code 554 was not
handled as a permanent error, leading to multiple delivery attempts.
This return code is now handled as permanent error.
Werk 16594 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Container: Support setting custom timezone
Class: feature
Compatible: compat
Component: packages
Date: 1724255060
Edition: cre
Level: 1
Version: 2.2.0p33
The checkmk containers now support setting the TZ variable for a container to specify what timezone the site should use.
The timezone information is then set for the site running inside the container.
This removes the need to mount timezone files from the host machine into a docker container.
A run command can look like this: `docker container run ... --env TZ="Europe/Berlin" check-mk-enterprise:<version>`
------------------------------------<diff>-------------------------------------------
Title: Container: Support setting custom timezone
Class: feature
Compatible: compat
Component: packages
Date: 1724255060
Edition: cre
Level: 1
Version: 2.2.0p33
The checkmk containers now support setting the TZ variable for a container to specify what timezone the site should use.
The timezone information is then set for the site running inside the container.
This removes the need to mount timezone files from the host machine into a docker container.
+ A run command can look like this: `docker container run ... --env TZ="Europe/Berlin" check-mk-enterprise:<version>`
+
[//]: # (werk v2)
# Use SHA256 digest when baking RPMs
key | value
---------- | ---
date | 2024-08-20T12:18:33+00:00
version | 2.3.0p15
class | feature
edition | cee
component | agents
level | 1
compatible | yes
The agent bakery now uses SHA256 for digests in the package header when creating RPM packages.
Specifically, this means `rpmbuild` is now invoked with the macros
```
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
```
where `8` signifies SHA256. See `man rpmsign` for further information.