Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15865 discussions

Check_MK Werk 0989: logwatch.ec: Fix forwarding multiple messages via syslog/TCP

by Mathias Kettner

ID: 0989 Title: logwatch.ec: Fix forwarding multiple messages via syslog/TCP Component: Checks & Agents Level: 1 Class: Bug Fix Version: 1.2.5i5 If you setup forwarding to the Event Console in the {logwatch.ec} check to be done via TCP and more than one new message per check interval arrived, then several messages could have be joined together into one single message. The reason was a missing newline character. This has been fixed. Forwarding via UDP was not affected by this bug.

10 years, 2 months

Check_MK Werk 0988: livedump: Fix exception in case no contact groups are defined for a service

by Mathias Kettner

ID: 0988 Title: livedump: Fix exception in case no contact groups are defined for a service Component: Livestatus Level: 1 Class: Bug Fix Version: 1.2.5i5

10 years, 2 months

Check_MK Werk 0994: agent plugin smart: fixed syntax error

by Bernd Stroessenreuther

ID: 0994 Title: agent plugin smart: fixed syntax error Component: Checks & Agents Level: 1 Class: Bug Fix Version: 1.2.5i5

10 years, 2 months

Check_MK Werk 0942: check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX

by Andreas Boesl

ID: 0942 Title: check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX Component: Multisite Level: 1 Class: Bug Fix Version: 1.2.5i4 This change makes pnpgraphs with greater timeframes consistent

10 years, 2 months

Check_MK Werk 0941: esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes

by Andreas Boesl

ID: 0941 Title: esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes Component: Multisite Level: 1 Class: Bug Fix Version: 1.2.5i4 Affected pnptemplates are: check_mk-enterasys_cpu_util, check_mk-esx_vsphere_hostsystem.cpu_usage, check_mk-innovaphone_cpu

10 years, 2 months

Check_MK Werk 0984: Fix code injection for logged in users via automation url

by Lars Michelsen

ID: 0984 Title: Fix code injection for logged in users via automation url Component: WATO Level: 2 Class: Incompatible Change Version: 1.2.5i4 This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description: The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: <tt>https://docs.python.org/2/library/pickle.html</tt>. The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses <tt>pickle</tt>, even with this fix. Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO.

10 years, 2 months

Check_MK Werk 0983: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)

by Mathias Kettner

ID: 0983 Title: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P) Component: Multisite Level: 2 Class: Security Fix Version: 1.2.5i4 The fixed weakness was: The check_mk application does allow an attacker to write check_mk config files (.mk files) on arbitrary locations on the server filesystem.

10 years, 2 months

Check_MK Werk 0982: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C

by Mathias Kettner

ID: 0982 Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Component: Multisite Level: 2 Class: Security Fix Version: 1.2.5i4 This fixes the following issue: The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of inproper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim. The fix applies to the function: htmllib.py: render_status_icons() actions.py: ajax_action()

10 years, 2 months

Check_MK Werk 0824: Valuespecs: Fixed several possible HTML injections in valuespecs

by Lars Michelsen

ID: 0824 Title: Valuespecs: Fixed several possible HTML injections in valuespecs Component: WATO Level: 1 Class: Security Fix Version: 1.2.5i4 Several HTML injections in valuespecs of different types (mostly used in WATO) were missing good escaping of values. This has been added to prevent HTML code injections which could be used for XSS attacks. This only affects WATO and logged in users which are permitted to use WATO and open the page (e.g. the list of rules) which displays the values.

10 years, 2 months

Check_MK Werk 0823: mk_sap: Fixed some wrong calculated values (decimal numbers)

by Lars Michelsen

ID: 0823 Title: mk_sap: Fixed some wrong calculated values (decimal numbers) Component: Checks & Agents Level: 1 Class: Bug Fix Version: 1.2.5i4 The values provided by SAP seem to be integers with a second value which can be used to tell the asking program the number of decimals. e.g. when this value states 2, a load value of 901 is converted to 9.01. This value has not been used in the past which lead to odd check results.

10 years, 2 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1