ID: 0195
Title: fc_port: Check temporary disabled cause of problems with automatic detection
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.5i6
There are currently a problem with the scan function who lead to a positive result on not supported devices.
The Check will be renabled asap the problems are fixed.
ID: 1071
Title: oracle_rman_backups: Only inventorize ARCHIVELOG / DB FULL / DB INCR entries
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.5i6
Previous versions of the check did also inventorize the entry "BACKUPSET" which
is useless to monitor.
ID: 0194
Title: raritan_pdu_inlet: Check now outputs the correct values
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.5i6
The complete checks has been rewritten cause of a few problems with the old version.
A re-inventory of all raritan pdu devices is needed after update.
ID: 1070
Title: printer_input/printer_output: New checks to monitor input/output sub-units of printers
Component: Checks & Agents
Level: 1
Class: New Feature
Version: 1.2.5i6
These checks are meant to check whether or not there is enough paper in the input slots
and/or enough space in the output slots.
ID: 0193
Title: docsis_cm_status: New Check Status Check for Cable Modems with Docsis MIB.
Component: Checks & Agents
Level: 1
Class: New Feature
Version: 1.2.5i6
ID: 0766
Title: Changed transid implemtation to work as CSRF protection (Fixes CVE-2014-2330)
Component: Multisite
Level: 3
Class: Security Fix
Version: 1.2.5i2
This change fixes possible attacks against Check_MK Multisite users. In previous
versions a possible attacker could try to make the browsers of authenticated users
open URLs of the Check_MK Multisite GUI to execute actions e.g. within WATO without
knowledge of the attacked user.
To make such an attack possible, there are several things needed: The user must be
authenticated with multisite and have enough permission within multisite to execute
the actions the attacker wants to use, the attacker needs to know the exact URL to the
Multisite GUI. Then the attacker needs to make the user either click on a manipulated
link or open a manipulated webpage which makes the browser of the user, where the user
is authenticated with multisite, open the URL the attacker wants to make it open.
The multisite GUI makes use of transids (transaction ids) when processing form
submissions or actions. The transids were mainly used to prevent double execution
of actions when reloading the page which performed the action in the browser.
Now we changed internal handling of the transid to make it also prevent CSRF attacks.
The transid is now some kind of shared secret between the webserver and the browser
of the user. This ensures a form submission is intended by a previously requested page.
This change impicates an incompatible change: In case you use a script which opens
multisite pages to perform an action, e.g. set a downtime and use this with a regular
user account which authenticates by username/password, the script won't work anymore
after this change.
The way to go is to adapt the script and change the user to authenticate with an
automation secret instead of a password. For this kind of authentication, you will
need to user other URL parameters (_username=... and _secret=...).
ID: 0191
Title: Added swp files to the ignore list for the WATO git feature
Component: WATO
Level: 1
Class: Bug Fix
Version: 1.2.5i6
Wato does not longer try to add swap files created by vim when editing the config manual and activate
changes in the same time.
ID: 0190
Title: docsis_signal_quality: New Check to monitor Signal Qualtiy on Devices with DOCSIS MIB
Component: Checks & Agents
Level: 1
Class: New Feature
Version: 1.2.5i6