ID: 2626
Title: ps check configurable to list state of individual processes in long output
Component: Checks & Agents
Level: 1
Class: New Feature
Version: 1.2.7i3
The configuration parameter is called "Enable per-process details in long-output" and it can be set
to either text or HTML output. HTML output works only if html escaping has been disabled in global
settings which may be a potential security problem.
ID: 2614
Title: Fixed exception when processing events with umlaut in names from history
Component: Event Console
Level: 1
Class: Bug Fix
Version: 1.2.7i3
ID: 2613
Title: Additional fix for refleced XSS on index page using start_url
Component: Multisite
Level: 1
Class: Security Fix
Version: 1.2.7i3
The issue has already been addressed in werk #2388, but was not really
fixing the problem for all cases.
ID: 2612
Title: Fixed possible XSS on service detail page using the long service output
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.7i3
Normaly all check results displayed in the GUI are HTML escaped by default.
The escaping was missing for the long service output of the service detail
page. So one could create multi line check results containing HTML/Javascript
code which would be executed when a user opens the service detail page of
the service with the check result containing the injected code.
The issue has been fixed by escaping the long output exactly like the normal
plugin output. One difference is left: newline characters are replaced by
HTML newlines to make displaying of multiple lines still possible.
If you want the old behaviour back, you can disable the plugin output escaping
using the global settings. But please note that an attacker might be able to
inject javascript code.
ID: 2611
Title: Fixed host view permission checks on host related pages
Component: WATO
Level: 1
Class: Bug Fix
Version: 1.2.7i3
Different host related pages (properties, services, rulesets, diagnose) were lacking
a "read host" permission checks. So user were able to view details about hosts which
they were not permitted.
ID: 2609
Title: mysql_capacity: Can now handle sizes reported being NULL
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.7i3
The discovery is now skipping all databases reported with a size
or capacity of 'NULL'. The check function can also deal with this
situation to prevent crash reports. Users experiencing this situation
should update and rediscover the services of the affected hosts to
remove the useless database checks.
ID: 2428
Title: "Clustered services for overlapping cluster": Improved rule matching
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.7i3
The matching algorhytm for this rules did not check if the matched
cluster did actually belong to the node.
For example if you had the following clusters
<pre>
ClusterA: Host1, Host2
ClusterB: Host3, Host4
</pre>
And these "Clustered services for overlapping cluster" rules
<pre>
Rule 1) Service1 -> ClusterA
Rule 2) Service1 -> ClusterB
</pre>
If Host3 has a Service1, the rule number one would match and
assign this service to ClusterA, ignoring the fact that this
host is actually a part of ClusterB.
This has been fixed.