Werk 16549 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Agent updates failing on Solaris 10
Class: fix
Compatible: incomp
Component: agents
Date: 1709282638
Edition: cee
Level: 1
Version: 2.1.0p42
On some Solaris 10 systems, an agent update did crash with error message
C+:
/var/sadm/pkg/check-mk-agent/install/postremove: syntax error at line 19: `(' unexpected
pkgrm: ERROR: postremove script did not complete successfully
C-:
If you ran into this error, to make the update perform again, please delete the file
<code>/var/sadm/pkg/check-mk-agent/install/postremove</code> on affected systems.
Technical background:\
The postremove script used the subshell evaluation syntax <code>$(...)</code> that is incompatible to the standard <code>bin/sh</code> shell found on some Solaris 10 systems.
------------------------------------<diff>-------------------------------------------
Title: Agent updates failing on Solaris 10
Class: fix
Compatible: incomp
Component: agents
Date: 1709282638
Edition: cee
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
On some Solaris 10 systems, an agent update did crash with error message
C+:
/var/sadm/pkg/check-mk-agent/install/postremove: syntax error at line 19: `(' unexpected
pkgrm: ERROR: postremove script did not complete successfully
C-:
If you ran into this error, to make the update perform again, please delete the file
<code>/var/sadm/pkg/check-mk-agent/install/postremove</code> on affected systems.
Technical background:\
The postremove script used the subshell evaluation syntax <code>$(...)</code> that is incompatible to the standard <code>bin/sh</code> shell found on some Solaris 10 systems.
Werk 16237 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Path to mysql.ini under Windows for mk_sql
Class: fix
Compatible: compat
Component: checks
Date: 1708687568
Edition: cre
Level: 1
Version: 2.1.0p42
If you've been using mysql and the corresponding agent plugin <em>mk_sql</em>
under Windows, the plugin may have crashed and the agent output would then
show the following error:
C+:
<<<mysql_ping>>>
[[MySQL83]]
mysqladmin: File '\etc\check_mk\mysql.local.ini' not found (OS errno 2 - No such file or directory)
mysqladmin: [ERROR] Stopped processing the 'include' directive in file C:\ProgramData\checkmk\agent\config\mysql.ini at line 8.
C-:
Under Windows, the plugin config path <code>C:\ProgramData\checkmk\agent\config</code> is now used.
In contrast to the corresponding Linux plugin <code>mk_mysql</code>, the config path under Windows cannot be changed.
------------------------------------<diff>-------------------------------------------
Title: Path to mysql.ini under Windows for mk_sql
Class: fix
Compatible: compat
Component: checks
Date: 1708687568
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
If you've been using mysql and the corresponding agent plugin <em>mk_sql</em>
under Windows, the plugin may have crashed and the agent output would then
show the following error:
C+:
<<<mysql_ping>>>
[[MySQL83]]
mysqladmin: File '\etc\check_mk\mysql.local.ini' not found (OS errno 2 - No such file or directory)
mysqladmin: [ERROR] Stopped processing the 'include' directive in file C:\ProgramData\checkmk\agent\config\mysql.ini at line 8.
C-:
Under Windows, the plugin config path <code>C:\ProgramData\checkmk\agent\config</code> is now used.
In contrast to the corresponding Linux plugin <code>mk_mysql</code>, the config path under Windows cannot be changed.
Werk 16599 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: jolokia metrics: restores 'default product' behavior
Class: fix
Compatible: compat
Component: checks
Date: 1710165014
Edition: cre
Level: 1
Version: 2.1.0p42
The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration.
This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output.
------------------------------------<diff>-------------------------------------------
Title: jolokia metrics: restores 'default product' behavior
Class: fix
Compatible: compat
Component: checks
Date: 1710165014
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration.
This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output.
Werk 16455 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix metric scaling of 'rta' for Nagios plugin integration 'check_ping'
Class: fix
Compatible: compat
Component: multisite
Date: 1709824147
Edition: cre
Level: 1
Version: 2.1.0p42
------------------------------------<diff>-------------------------------------------
Title: Fix metric scaling of 'rta' for Nagios plugin integration 'check_ping'
Class: fix
Compatible: compat
Component: multisite
Date: 1709824147
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
Werk 16447 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix inventory sync of subsequent hosts if a previous one has invalid data
Class: fix
Compatible: compat
Component: liveproxy
Date: 1707132754
Edition: cee
Level: 1
Version: 2.1.0p42
------------------------------------<diff>-------------------------------------------
Title: Fix inventory sync of subsequent hosts if a previous one has invalid data
Class: fix
Compatible: compat
Component: liveproxy
Date: 1707132754
Edition: cee
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
Werk 16238 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Add m7i.large as aws resource type
Class: feature
Compatible: compat
Component: checks
Date: 1709038229
Edition: cre
Level: 1
Version: 2.1.0p42
You're affected if your aws_ec2_limits check reported "Unknown resource" and you're using "m7i.large".
The aws resource names are changing from time to time and we will need to find a more stable solution for that in the future.
But for now, this will be fixed by adding the resource name "m7i.large" to our internal list of aws resources.
------------------------------------<diff>-------------------------------------------
Title: Add m7i.large as aws resource type
Class: feature
Compatible: compat
Component: checks
Date: 1709038229
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
You're affected if your aws_ec2_limits check reported "Unknown resource" and you're using "m7i.large".
The aws resource names are changing from time to time and we will need to find a more stable solution for that in the future.
But for now, this will be fixed by adding the resource name "m7i.large" to our internal list of aws resources.
Werk 16502 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: dcd: resolve log error in case of discovery timeouts
Class: fix
Compatible: compat
Component: dcd
Date: 1709716462
Edition: cee
Level: 1
Version: 2.1.0p42
------------------------------------<diff>-------------------------------------------
Title: dcd: resolve log error in case of discovery timeouts
Class: fix
Compatible: compat
Component: dcd
Date: 1709716462
Edition: cee
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
Werk 16239 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Extend devices found by apc_ats_status
Class: fix
Compatible: compat
Component: checks
Date: 1709123851
Edition: cre
Level: 1
Version: 2.1.0p42
This werk affects you, in case you try to monitor your APC Rack Automatic Transfer Switch with <tt>apc_ats_status</tt>.
Previously some devices were not discovered due to a too strict scan function.
Futher, we enable monitoring other power supplies available at such devices as for example 1V and 3.3V.
This was fixed now.
------------------------------------<diff>-------------------------------------------
Title: Extend devices found by apc_ats_status
Class: fix
Compatible: compat
Component: checks
Date: 1709123851
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
This werk affects you, in case you try to monitor your APC Rack Automatic Transfer Switch with <tt>apc_ats_status</tt>.
Previously some devices were not discovered due to a too strict scan function.
Futher, we enable monitoring other power supplies available at such devices as for example 1V and 3.3V.
This was fixed now.
Werk 16234 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
Version: 2.1.0p41
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.3.0 (beta)
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
------------------------------------<diff>-------------------------------------------
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^ -
+ Version: 2.1.0p41
? ^ +
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
+ 2.3.0 (beta)
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
Title: mk_informix: Do not allow privilege escalation
Class: security
Compatible: compat
Component: checks
Date: 1709909870
Edition: cre
Level: 1
Version: 2.1.0p41
The informix database monitoring plugin would previously <code>eval</code> statements parsed from <code>$INFORMIXDIR/bin/onstat</code>. Since the plugin is usually run as root, this could cause statements injected in <code>$INFORMIXDIR/bin/onstat</code> to be run as root as well.
By adding scripts named the same as other functionality found in <code>$PATH</code> to <code>$INFORMIXDIR/bin</code>, <code>$PATH</code> functionality could also be overshadowed and the custom executed as root.
Finally, <code>$INFORMIXDIR/bin/onstat</code> would be executed as root, allowing a substituted script to be run with elevated privileges.
With this werk, the environment variables will be exported instead and <code>$PATH</code> will now be searched before <code>$INFORMIXDIR/bin</code>.
The plugin will now also check if <code>$INFORMIXDIR/bin/onstat</code> belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28824</code>.