Title: mk_oracle: use "${GREP}" instead of "grep"
Class: fix
Compatible: compat
Component: checks
Date: 1701070131
Edition: cre
Level: 1
Version: 2.3.0b1
When executed on solaris, `"grep"` does not know `-x` or `-F`. "${GREP}" points
to a version of grep that understands those options.
Title: Ignore certificates with negative serial numbers
Class: fix
Compatible: incomp
Component: wato
Date: 1700822338
Edition: cre
Level: 1
Version: 2.2.0p16
X509 certificates contain a serial number which is used for various purposes.
Since RFC5280 (May 2008) certificates must be a positive integer.
There used to be certificates with negative serial numbers which were accepted.
Our underlying libraries start to deprecate the support for these certificates, therefore Checkmk now deems them invalid.
Please note that these certificates are very uncommon.
If Checkmk encounters such a certificate it will log it to `var/log/web.log`.
Werk 978 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix security issue with mk-job on Linux
Level: 2
Component: checks
Version: 1.2.5i3
Date: 1401093260
Class: security
Compatible: incomp
By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent output.
This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update
the agent that you also update <tt>mk-job</tt>.
Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually.
If you have a job running as user <tt>foo</tt>, then do:
C+:
RP:mkdir -p /var/lib/check_mk_agent/job
RP:chown foo:foo /var/lib/check_mk_agent/job
C-:
If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by
an RPM/DEB created from the source code with <tt>make rpm</tt> or <tt>make deb</tt>
then the permissions of <tt>/var/lib/check_mk_agent/job</tt> are automatically
fixed.
If you have installed the agent manually then please make sure that the permissions
of the job directory are set properly:
C+:
RP:chmod 755 /var/lib/check_mk_agent/job
C-:
------------------------------------<diff>-------------------------------------------
Title: Fix security issue with mk-job on Linux
Level: 2
Component: checks
Version: 1.2.5i3
Date: 1401093260
Class: security
Compatible: incomp
By use of symlinks or hardlinks normal users could inject files to be read
with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt>
was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way
a normal user could have placed a symlink to a file there that is only readable
by <tt>root</tt>. The content of that file would then appear in the agent output.
This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly,
but by creating a separate subdirectory below that for each user. This is done by
a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update
the agent that you also update <tt>mk-job</tt>.
Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually.
If you have a job running as user <tt>foo</tt>, then do:
C+:
RP:mkdir -p /var/lib/check_mk_agent/job
- RP:chown foo.foo /var/lib/check_mk_agent/job
? ^
+ RP:chown foo:foo /var/lib/check_mk_agent/job
? ^
C-:
If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by
an RPM/DEB created from the source code with <tt>make rpm</tt> or <tt>make deb</tt>
then the permissions of <tt>/var/lib/check_mk_agent/job</tt> are automatically
fixed.
If you have installed the agent manually then please make sure that the permissions
of the job directory are set properly:
C+:
RP:chmod 755 /var/lib/check_mk_agent/job
C-:
Title: Ignore certificates with negative serial numbers
Class: fix
Compatible: incomp
Component: wato
Date: 1700822338
Edition: cre
Level: 1
Version: 2.3.0b1
X509 certificates contain a serial number which is used for various purposes.
Since RFC5280 (May 2008) certificates must be a positive integer.
There used to be certificates with negative serial numbers which were accepted.
Our underlying libraries start to deprecate the support for these certificates, therefore Checkmk now deems them invalid.
Please note that these certificates are very uncommon.
If Checkmk encounters such a certificate it will log it to <code>var/log/web.log</code>.
Title: Browsing man pages from command line
Class: fix
Compatible: compat
Component: checks
Date: 1701023104
Edition: cre
Level: 1
Version: 2.3.0b1
Viewing a check plugins man page using <tt>cmk -M my_check</tt> left the terminal in a bad state.
Browsing man pages using <tt>cmk -m</tt> did not work at all (still leaving the terminal in a bad state).
This is fixed.
After running the commands <tt>cmk -M my_check</tt> or <tt>cmk -m</tt> the tty was not properly restored.
Affected users can fix their prompt running <tt>stty sane</tt> or <tt>restore</tt>.
Werk 16300 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Revert werk #16150 and fix <tt>IndexError: boolean index did not match indexed array along dimension 0</tt> in forecast graphs
Class: fix
Compatible: compat
Component: metrics
Date: 1700760668
Edition: cee
Level: 1
Version: 2.1.0p37
This change reverts werk #16150, since this werk made forecast graphs basically unusable.
Furthermore, this change fixes the error mentioned above. This error occurred when computing a
forecast based on constant and incomplete input data.
------------------------------------<diff>-------------------------------------------
- Title: Revert werk #16150 and fix <tt>IndexError: boolean index did not match indexed array along dimension 0<tt> in forecast graphs
+ Title: Revert werk #16150 and fix <tt>IndexError: boolean index did not match indexed array along dimension 0</tt> in forecast graphs
? +
Class: fix
Compatible: compat
Component: metrics
Date: 1700760668
Edition: cee
Level: 1
Version: 2.1.0p37
This change reverts werk #16150, since this werk made forecast graphs basically unusable.
Furthermore, this change fixes the error mentioned above. This error occurred when computing a
forecast based on constant and incomplete input data.
Title: Revert werk #16150 and fix <tt>IndexError: boolean index did not match indexed array along dimension 0<tt> in forecast graphs
Class: fix
Compatible: compat
Component: metrics
Date: 1700760668
Edition: cee
Level: 1
Version: 2.1.0p37
This change reverts werk #16150, since this werk made forecast graphs basically unusable.
Furthermore, this change fixes the error mentioned above. This error occurred when computing a
forecast based on constant and incomplete input data.
Werk 15977 was deleted. The following Werk is no longer relevant.
Title: db2_backup: Correct timezone difference for last backup date
Class: fix
Compatible: compat
Component: checks
Date: 1697190433
Edition: cre
Knowledge: doc
Level: 1
Version: 2.1.0p37
This werk is relevant for users monitoring the age of the last backup time of db2 databases in different timezones.
The date/time of the last backup of a db2 database is currently stored in local host time without the information about the host timezone. When this time is used to check the age of the last backup, it is interpreted in the Checkmk server timezone.
When using different timezones, this leads to incorrect values for "Time since last backup".
The db2 agent plugin will now store the time in UTC and the db2_backup check will interpret the time accordingly.
You will need to update the agent mk_db2.linux or mk_db2.aix to receive the corrected times.
Werk 15976 was deleted. The following Werk is no longer relevant.
Title: mssql_backup: Correct timezone difference for last backup date
Class: fix
Compatible: compat
Component: checks
Date: 1696949130
Edition: cre
Knowledge: doc
Level: 1
State: unknown
Version: 2.1.0p37
This werk is relevant for users monitoring the age of the last backup time of mssql databases in different timezones.
The date/time of the last backup of a mssql database is currently stored in local host time without the information about the host timezone. When this time is used to check the age of the last backup, it is interpreted in the Checkmk server timezone.
When using different timezones, this leads to incorrect values for "Age of last database backup" and if the age is negative, in newer Checkmk versions to the warning "Cannot reasonably calculate time since last backup (hosts time running ahead)".
The mssql agent plugin will now store the time in UTC and the mssql_backup check will interpret the time accordingly.
You will need to update the agent plugin mssql.vbs to receive the corrected times.