[//]: # (werk v2)
# mk_informix: Do not allow privilege escalation
key | value
---------- | ---
date | 2024-03-08T14:57:50+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | yes
The informix database monitoring plugin would previously `eval` statements parsed from `$INFORMIXDIR/bin/onstat`. Since the plugin is usually run as root, this could cause statements injected in `$INFORMIXDIR/bin/onstat` to be run as root as well.
By adding scripts named the same as other functionality found in `$PATH` to `$INFORMIXDIR/bin`, `$PATH` functionality could also be overshadowed and the custom executed as root.
Finally, `$INFORMIXDIR/bin/onstat` would be executed as root, allowing a substituted script to be run with elevated privileges.
With this werk, the environment variables will be exported instead and `$PATH` will now be searched before `$INFORMIXDIR/bin`.
The plugin will now also check if `$INFORMIXDIR/bin/onstat` belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0 (beta)
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` and assigned CVE `CVE-2024-28824`.
[//]: # (werk v2)
# trigger openapi-spec generation job during start, restart and reload
key | value
---------- | ---
date | 2024-03-20T13:23:59+00:00
version | 2.4.0b1
class | feature
edition | cre
component | omd
level | 1
compatible | yes
Werk 16501 introduced a command to start a background job which
triggers the regeneration of the API specification. This werk now
includes execution of this command also during omd start, restart,
and reload. With this mechanism the execution during `cmk-update-config`
is no longer needed.
Based on Werk 15724 the specification is now updated in these situations:
* Create the initial spec after a site has been created
* Update the spec after a site has been copied, restored or renamed
* Update the spec when the apache process is started, restarted or reloaded
[//]: # (werk v2)
# Read-only internal folder name when editing folders
key | value
---------- | ---
date | 2024-03-20T08:45:21+00:00
version | 2.4.0b1
class | fix
edition | cre
component | wato
level | 1
compatible | yes
When disabling the "Hide internal folder names in Setup" setting, the internal
name must be set by the user when creating folders. Previously, the field was
still modifiable when editing the folder properties, however no changes to it
were saved.
This werk now marks the field as read only when editing the folder properties.
[//]: # (werk v2)
# size_trend: Treat negative free space as 0 in all cases
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-03-20T10:04:09+00:00
level | 1
class | fix
component | checks
edition | cre
Before the version 2.2.0p21, 'Time left until full' was reported to be 0 in case of
devices reporting negative free space.
With werk 16330, we stopped reporting the metric in case of very small size changes
because it lead to infinite values. With this change the behavior was unintentionally
also changed for negative free space values.
This werk restores the same functionality in case of negative free space.
[//]: # (werk v2)
# REST API: Fix httpie examples
key | value
---------- | ---
date | 2024-03-20T12:51:32+00:00
version | 2.4.0b1
class | fix
edition | cre
component | rest-api
level | 1
compatible | yes
Some httpie examples had a backslash at the end of the last line causing
these examples to fail when executed. This Werk fixes the way REST API
examples are generated to prevent backslashes at the end of the last line.
[//]: # (werk v2)
# dns: Reintroduce macro replacement in 'Expected DNS answers' config
key | value
---------- | ---
date | 2024-03-20T08:49:31+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
With version 2.3.0b1, the macros in the 'Expected DNS answers' field of 'Check DNS service'
were no longer replaced. This change reintroduces macro replacement.
[//]: # (werk v2)
# Check SQL: Allow to configure port via custom macros
key | value
---------- | ---
date | 2024-03-15T13:24:34+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | yes
In the ruleset _"Check SQL Database"_ you can now configure the port using
macros.
[//]: # (werk v2)
# Terminate all GUI sessions during update
key | value
---------- | ---
date | 2024-03-15T15:16:28+00:00
version | 2.4.0b1
class | feature
edition | cre
component | wato
level | 1
compatible | yes
By default a GUI session is terminated after 90 minutes of inactivity (Configurable via global setting **Session management**).
A user could therefore start a session and e.g. start configuring a complex check and while doing something other (e.g. researching some options) the site could be updated.
If the user does not interact with the site in that period the user won't notice that the site was updated.
Since updates might change some behaviour the session might not work as intended.
Therefore during an update all sessions are now terminated.
This will cause users to re-authenticate after a site update.
Werk 16149 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# New OrderBy header in livestatus
key | value
---------- | ---
date | 2024-01-29T10:12:24+00:00
version | 2.4.0b1
class | feature
edition | cre
component | livestatus
level | 1
compatible | yes
We provide a new header for livestatus that returns the rows in
sorted order.
For example, to sort host names in descending order
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name desc'
zhost
yhost
xhost
...
```
in ascending order
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name asc'
ahost
bhost
...
```
or, alternatively without `asc`,
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name'
ahost
bhost
...
```
The `OrderBy` header can be combined with the `Limit` header to
limit the number of results as expected.
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name\nLimit: 1'
ahost
```
Furthermore, it is possible to sort on dictionary keys with the
following syntax
```
$ lq << EOF
GET services
Columns: host_name description performance_data
OrderBy: performance_data.user_time
EOF
...
```
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
- # New OderBy header in livestatus
+ # New OrderBy header in livestatus
? +
key | value
---------- | ---
date | 2024-01-29T10:12:24+00:00
version | 2.4.0b1
class | feature
edition | cre
component | livestatus
level | 1
compatible | yes
We provide a new header for livestatus that returns the rows in
sorted order.
For example, to sort host names in descending order
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name desc'
zhost
yhost
xhost
...
```
in ascending order
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name asc'
ahost
bhost
...
```
or, alternatively without `asc`,
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name'
ahost
bhost
...
```
The `OrderBy` header can be combined with the `Limit` header to
limit the number of results as expected.
```
$ lq 'GET hosts\nColumns: name\nOrderBy: name\nLimit: 1'
ahost
```
Furthermore, it is possible to sort on dictionary keys with the
following syntax
```
$ lq << EOF
GET services
Columns: host_name description performance_data
OrderBy: performance_data.user_time
EOF
...
```