Werk 16549 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Agent updates failing on Solaris 10
Class: fix
Compatible: incomp
Component: agents
Date: 1709282638
Edition: cee
Level: 1
Version: 2.1.0p43
On some Solaris 10 systems, an agent update did crash with error message
C+:
/var/sadm/pkg/check-mk-agent/install/postremove: syntax error at line 19: `(' unexpected
pkgrm: ERROR: postremove script did not complete successfully
C-:
If you ran into this error, to make the update perform again, please delete the file
<code>/var/sadm/pkg/check-mk-agent/install/postremove</code> on affected systems.
Technical background:\
The postremove script used the subshell evaluation syntax <code>$(...)</code> that is incompatible to the standard <code>bin/sh</code> shell found on some Solaris 10 systems.
------------------------------------<diff>-------------------------------------------
Title: Agent updates failing on Solaris 10
Class: fix
Compatible: incomp
Component: agents
Date: 1709282638
Edition: cee
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
On some Solaris 10 systems, an agent update did crash with error message
C+:
/var/sadm/pkg/check-mk-agent/install/postremove: syntax error at line 19: `(' unexpected
pkgrm: ERROR: postremove script did not complete successfully
C-:
If you ran into this error, to make the update perform again, please delete the file
<code>/var/sadm/pkg/check-mk-agent/install/postremove</code> on affected systems.
Technical background:\
The postremove script used the subshell evaluation syntax <code>$(...)</code> that is incompatible to the standard <code>bin/sh</code> shell found on some Solaris 10 systems.
Werk 16623 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: HW/SW Inventory: Fix crash when filtering for number of sites for Checkmk version
Class: fix
Compatible: compat
Component: inv
Date: 1710167848
Edition: cre
Level: 1
Version: 2.1.0p43
When filtering the Checkmk versions -> #Sites inventory column, a crash occurs with
C+:
TypeError (expected string or bytes-like object)
...
File "/omd/sites/oldstable/lib/python3/cmk/gui/query_filters.py", line 510, in <lambda>
return lambda row: bool(regex.search(row.get(column, "")))
C-:
This crash has been fixed.
------------------------------------<diff>-------------------------------------------
Title: HW/SW Inventory: Fix crash when filtering for number of sites for Checkmk version
Class: fix
Compatible: compat
Component: inv
Date: 1710167848
Edition: cre
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
When filtering the Checkmk versions -> #Sites inventory column, a crash occurs with
C+:
TypeError (expected string or bytes-like object)
...
File "/omd/sites/oldstable/lib/python3/cmk/gui/query_filters.py", line 510, in <lambda>
return lambda row: bool(regex.search(row.get(column, "")))
C-:
This crash has been fixed.
Werk 16242 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Kill forked processes by mk_oracle under AIX
Class: fix
Compatible: compat
Component: checks
Date: 1709728993
Edition: cre
Level: 1
Version: 2.1.0p43
The agent plugin <code>mk_oracle</code> creates forked processes, e.g. from <code>sqlplus</code>.
In order to reliable clean up stale processes, we kill now the whole process chain under AIX
which corresponds to the stored <code>PID</code>.
We introduce this only for <code>AIX</code> now as we have customers which are affected under that OS.
------------------------------------<diff>-------------------------------------------
Title: Kill forked processes by mk_oracle under AIX
Class: fix
Compatible: compat
Component: checks
Date: 1709728993
Edition: cre
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
The agent plugin <code>mk_oracle</code> creates forked processes, e.g. from <code>sqlplus</code>.
In order to reliable clean up stale processes, we kill now the whole process chain under AIX
which corresponds to the stored <code>PID</code>.
We introduce this only for <code>AIX</code> now as we have customers which are affected under that OS.
Werk 16416 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Make scp command work as site userr on SLES 15
Class: fix
Compatible: compat
Component: omd
Date: 1711615092
Edition: cre
Level: 1
Version: 2.1.0p43
On SUSE Linux Enterprise Server 15 systems, the <code>scp</code> command could crash with
C+:
/usr/bin/ssh: symbol lookup error: /usr/bin/ssh: undefined symbol: EVP_KDF_CTX_free, version OPENSSL_1_1_1d lost connection
C-:
when executed as a site user.
------------------------------------<diff>-------------------------------------------
Title: Make scp command work as site userr on SLES 15
Class: fix
Compatible: compat
Component: omd
Date: 1711615092
Edition: cre
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
On SUSE Linux Enterprise Server 15 systems, the <code>scp</code> command could crash with
C+:
/usr/bin/ssh: symbol lookup error: /usr/bin/ssh: undefined symbol: EVP_KDF_CTX_free, version OPENSSL_1_1_1d lost connection
C-:
when executed as a site user.
Werk 16424 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: omd start redis: Don't Start If Process Already Running
Class: fix
Compatible: compat
Component: omd
Date: 1713456408
Edition: cre
Level: 1
Version: 2.1.0p43
With this Werk, <code>omd start</code> will no longer create a new redis process if redis is already started.
This aligns the behaviour with the other services of a site.
------------------------------------<diff>-------------------------------------------
Title: omd start redis: Don't Start If Process Already Running
Class: fix
Compatible: compat
Component: omd
Date: 1713456408
Edition: cre
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
With this Werk, <code>omd start</code> will no longer create a new redis process if redis is already started.
This aligns the behaviour with the other services of a site.
Werk 14227 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Changing settings in the site configuration can no longer cause ActivateChanges to hang forever
Class: fix
Compatible: compat
Component: wato
Date: 1711528118
Edition: cre
Level: 1
Version: 2.1.0p43
------------------------------------<diff>-------------------------------------------
Title: Changing settings in the site configuration can no longer cause ActivateChanges to hang forever
Class: fix
Compatible: compat
Component: wato
Date: 1711528118
Edition: cre
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
Werk 15198 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Brute-force protection ineffective for some login methods
Class: security
Compatible: compat
Component: wato
Date: 1712665452
Edition: cre
Level: 1
Version: 2.1.0p43
Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method.
Login attempts via the REST API and basic authentication did not count towards the lockout mechanism.
As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic authentication <em>for human user accounts</em>.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent.
It is therefore important to use long, random automation secrets.
This issue was found during internal review.
<strong>Affected Versions</strong>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Mitigations</strong>:
If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28825</code>.
------------------------------------<diff>-------------------------------------------
Title: Brute-force protection ineffective for some login methods
Class: security
Compatible: compat
Component: wato
Date: 1712665452
Edition: cre
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method.
Login attempts via the REST API and basic authentication did not count towards the lockout mechanism.
As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic authentication <em>for human user accounts</em>.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent.
It is therefore important to use long, random automation secrets.
This issue was found during internal review.
<strong>Affected Versions</strong>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Mitigations</strong>:
If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28825</code>.
Werk 16197 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: quantum_libsmall_*: Improve SNMP detection
Class: fix
Compatible: compat
Component: checks
Date: 1709035896
Edition: cre
Level: 1
Version: 2.1.0p43
Currently the SNMP detection for <code>quantum_libsmall_status</code> and <code>quantum_libsmall_door</code> checks if "linux" and "library" are contained in the sysDescr and sysLocation OIDs. To make the detection more reliable, the sysObjectID is checked against the linux object identifier and the libraryProductName .1.3.6.1.4.1.3697.1.10.10.1.10.0 against "Quantum Small Library Product".
------------------------------------<diff>-------------------------------------------
Title: quantum_libsmall_*: Improve SNMP detection
Class: fix
Compatible: compat
Component: checks
Date: 1709035896
Edition: cre
Level: 1
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
Currently the SNMP detection for <code>quantum_libsmall_status</code> and <code>quantum_libsmall_door</code> checks if "linux" and "library" are contained in the sysDescr and sysLocation OIDs. To make the detection more reliable, the sysObjectID is checked against the linux object identifier and the libraryProductName .1.3.6.1.4.1.3697.1.10.10.1.10.0 against "Quantum Small Library Product".
Werk 15841 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: The configuration is correctly loaded by RRD helper processes
Class: fix
Compatible: compat
Component: core
Date: 1711447383
Edition: cee
Level: 2
Version: 2.1.0p43
This change ensures the reloading of the configuration by already
running RRD processes, thereby guaranteeing that those processes are
using the correct configuration.
SUP-17787
CMK-16318
------------------------------------<diff>-------------------------------------------
Title: The configuration is correctly loaded by RRD helper processes
Class: fix
Compatible: compat
Component: core
Date: 1711447383
Edition: cee
Level: 2
- Version: 2.1.0p42
? ^
+ Version: 2.1.0p43
? ^
This change ensures the reloading of the configuration by already
running RRD processes, thereby guaranteeing that those processes are
using the correct configuration.
SUP-17787
CMK-16318
Werk 15843 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: mk_oracle(ps1): Follow-up to privilege escalation fix
Class: fix
Compatible: incomp
Component: checks
Date: 1712314947
Edition: cre
Level: 2
Version: 2.1.0p42
You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows.
Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a
regression, thereby disrupting Oracle monitoring on Windows.
This Werk addresses above mentioned issue that affects versions 2.1.0p41,
2.2.0p24, and 2.3.0b4.
Since this release, Oracle monitoring on Windows is fully supported under
either of the following conditions:
1. The monitoring is performed using an account without administrator rights.
2. Specific Oracle executable binaries — namely, <tt>sqlplus.exe</tt>,
<tt>tnsping.exe</tt> and, if presented, <tt>crsctl.exe</tt> - are not modifiable
by non-admin users.
If you are still unable to monitor Oracle, for example, you can't use an
unprivileged account for monitoring and changing of permission is not possible,
consider one of the following actions:
1. Enable <tt>Run as local group</tt> for group <tt>Administrators</tt> in
<tt>Run plugins and local checks using non-system account</tt> ruleset.
2. Adjust <tt>Oracle Binaries Permissions Check</tt> settings in <tt>ORACLE databases (Linux,
Solaris, AIX, Windows)</tt> ruleset.
More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>.
------------------------------------<diff>-------------------------------------------
Title: mk_oracle(ps1): Follow-up to privilege escalation fix
Class: fix
Compatible: incomp
Component: checks
Date: 1712314947
Edition: cre
Level: 2
Version: 2.1.0p42
You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows.
Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a
regression, thereby disrupting Oracle monitoring on Windows.
This Werk addresses above mentioned issue that affects versions 2.1.0p41,
2.2.0p24, and 2.3.0b4.
- Since this release, Oracle monitoring on Windows is fully supported under
? -
+ Since this release, Oracle monitoring on Windows is fully supported under
- condition you use an account without administrator rights or the certain
- executable binaries, <tt>sqlplus.exe</tt>, <tt>tnsping.exe</tt> and, if
- presented, <tt>crsctl.exe</tt> are write-protected, with the possible
- exception being the Administrator.
+ either of the following conditions:
+ 1. The monitoring is performed using an account without administrator rights.
+ 2. Specific Oracle executable binaries — namely, <tt>sqlplus.exe</tt>,
+ <tt>tnsping.exe</tt> and, if presented, <tt>crsctl.exe</tt> - are not modifiable
+ by non-admin users.
- If you are unable or prefer not to use an unprivileged account then you may
- need to adjust permissions for above mentioned binaries: remove <tt>Write</tt>,
- <tt>Full Control</tt> and <tt>Modify</tt> permissions for any non-Administrator
- user and group.
+ If you are still unable to monitor Oracle, for example, you can't use an
+ unprivileged account for monitoring and changing of permission is not possible,
+ consider one of the following actions:
+ 1. Enable <tt>Run as local group</tt> for group <tt>Administrators</tt> in
+ <tt>Run plugins and local checks using non-system account</tt> ruleset.
+ 2. Adjust <tt>Oracle Binaries Permissions Check</tt> settings in <tt>ORACLE databases (Linux,
+ Solaris, AIX, Windows)</tt> ruleset.
More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>.