Title: Fix inconsistent interaction for graphs in dashboards
Class: fix
Compatible: compat
Component: multisite
Date: 1700147621
Edition: cre
Level: 1
Version: 2.1.0p37
The mouse interaction (zooming, scrolling etc.) for graphs in dashboards only worked sporadically
and at seemingly random points.
Title: CSRF in user-message deletion
Class: security
Compatible: compat
Component: wato
Date: 1700648297
Edition: cre
Level: 1
Version: 2.2.0p15
In Checkmk you can message other users via <em>Send user message</em>.
Prior to this Werk an authenticated attacker who receives such a user-message could craft a link with the generated message uuid to delete the message.
This link was prone to CSRF and when another user was tricked into opening this link the message was deleted possibly before the user could read it.
LI: This vulnerability was identified through a commissioned penetration test conducted by Port Zero.
<b>Affected Versions</b>:
* 2.2.0
* 2.1.0
* 2.0.0
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 3.5 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</tt>.
We assigned CVE-2023-6251 to this vulnerability.
<b>Changes</b>:
This Werk adds CSRF token validation to this endpoint.
Title: Livestatus Injections
Class: security
Compatible: compat
Component: wato
Date: 1700066363
Edition: cre
Level: 1
Version: 2.2.0p15
Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.
We found this vulnerability internally.
<b>Affected Versions</b>:
* 2.2.0
* 2.1.0
* 2.0.0
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H</tt>.
We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.
<b>Changes</b>:
This Werk strips the relevant parameters of newlines.
Werk 16229 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Provide Checkmk builds for Ubuntu 23.10 (Mantic Minotaur)
Class: feature
Compatible: compat
Component: omd
Date: 1699612013
Edition: cre
Knowledge: undoc
Level: 1
Version: 2.2.0p15
Starting with this werk, we deliver builds for Ubuntu 23.10.
<b>PLEASE NOTE:</b>
This will be the last Ubuntu STS version for which Checkmk builds will be made publicly available. Since the next Ubuntu release 24.04 will be LTS, a smooth transition is guaranteed.
For details see: https://docs.checkmk.com/latest/en/update_matrix.html#ossupport
------------------------------------<diff>-------------------------------------------
- Title: Build Checkmk for Ubuntu-23.10 (mantic minotaur)
? ^^ - ^ ^ ^
+ Title: Provide Checkmk builds for Ubuntu 23.10 (Mantic Minotaur)
? ^^^^ + +++++++ ^ ^ ^
Class: feature
Compatible: compat
Component: omd
Date: 1699612013
Edition: cre
Knowledge: undoc
Level: 1
Version: 2.2.0p15
- With this werk, we deliver builds for Ubuntu-23.10.
? ^ ^
+ Starting with this werk, we deliver builds for Ubuntu 23.10.
? ^^^^^^^^^^ ^
<b>PLEASE NOTE:</b>
- This will be the last STS Ubuntu version we will provide to the public.
+ This will be the last Ubuntu STS version for which Checkmk builds will be made publicly available. Since the next Ubuntu release 24.04 will be LTS, a smooth transition is guaranteed.
- Have a look at https://docs.checkmk.com/latest/en/update_matrix.html#ossupport
? ^ ^ ^^^^^^^^^^
+ For details see: https://docs.checkmk.com/latest/en/update_matrix.html#ossupport
? ^^^^^^^ ^^^^^ ^^
-
-
Title: Fix inconsistent interaction for graphs in dashboards
Class: fix
Compatible: compat
Component: multisite
Date: 1700147621
Edition: cre
Level: 1
Version: 2.2.0p15
The mouse interaction (zooming, scrolling etc.) for graphs in dashboards only worked sporadically
and at seemingly random points.
Title: Allow CA certificates without key usage restrictions
Class: fix
Compatible: compat
Component: wato
Date: 1700470697
Edition: cre
Level: 1
Version: 2.2.0p15
Prior to this Werk, certificates that did not include the KeyUsage extension were not considered CA certificates by Checkmk, as they lack the keyCertSign bit.
While CAs conforming with RFC 5280 MUST include the extension and set this bit, not all do in practice. Recommendation ITU-T X.509 considers only the basicConstraint "cA" required for CAs.
With this Werk, Checkmk will consider setting the cA basicConstraint but not the KeyUsage extension as valid for CA certificates. Note that certificates that do set the KeyUsage extension but lack the keyCertSign bit may still not be used for certificate signing.
Werk 15644 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: postgres_processes: Restore Monitoring if Instance Name is Missing
Class: fix
Compatible: compat
Component: checks
Date: 1695383436
Edition: cre
Knowledge: doc
Level: 1
Version: 2.3.0b1
As of version 2.1.0p30 and 2.2.0p4, it was no longer possible to use the plugin postgres_instances,
if the instance name was empty. In previous versions, this plugin would show a service with
the item <tt>PostgreSQL Instance </tt>. This service would be OK, if there was at least one process
belonging to any postgres instance, and CRIT otherwise.
With this Werk, the plugin postgres_instances no longer crashes, if there is an empty instance name.
The old service <tt>PostgreSQL Instance </tt> is no longer discovered. Instead the new check plugin
postgres_processes can be used.
------------------------------------<diff>-------------------------------------------
Title: postgres_processes: Restore Monitoring if Instance Name is Missing
Class: fix
Compatible: compat
Component: checks
Date: 1695383436
Edition: cre
Knowledge: doc
Level: 1
Version: 2.3.0b1
As of version 2.1.0p30 and 2.2.0p4, it was no longer possible to use the plugin postgres_instances,
- if the instance name was empty, i.e. ``. In previous versions, this plugin would show a service with
? --- ------
+ if the instance name was empty. In previous versions, this plugin would show a service with
- the item `PostgreSQL Instance `. This service would be OK, if there was at least one process
? ^ ^
+ the item <tt>PostgreSQL Instance </tt>. This service would be OK, if there was at least one process
? ^^^^ ^^^^^
belonging to any postgres instance, and CRIT otherwise.
With this Werk, the plugin postgres_instances no longer crashes, if there is an empty instance name.
- The old service `PostgreSQL Instance ` is no longer discovered. Instead the new check plugin
? ^ ^
+ The old service <tt>PostgreSQL Instance </tt> is no longer discovered. Instead the new check plugin
? ^^^^ ^^^^^
postgres_processes can be used.
Title: CSRF in user-message deletion
Class: security
Compatible: compat
Component: wato
Date: 1700648297
Edition: cre
Level: 1
Version: 2.3.0b1
In Checkmk you can message other users via *Send user message*.
Prior to this Werk an authenticated attacker who receives such a user-message could craft a link with the generated message uuid to delete the message.
This link was prone to CSRF and when another user was tricked into opening this link the message was deleted possibly before the user could read it.
* This vulnerability was identified through a commissioned penetration test conducted by Port Zero.
<b>Affected Versions</b>:
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 3.5 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</tt>.
We assigned CVE-2023-6251 to this vulnerability.
<b>Changes</b>:
This Werk adds CSRF token validation to this endpoint.
Title: Livestatus Injections
Class: security
Compatible: compat
Component: wato
Date: 1700066363
Edition: cre
Level: 1
Version: 2.3.0b1
Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.
We found this vulnerability internally.
<b>Affected Versions</b>:
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H</tt>.
We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.
<b>Changes</b>:
This Werk strips the relevant parameters of newlines.
Title: Fix inconsistent interaction for graphs in dashboards
Class: fix
Compatible: compat
Component: multisite
Date: 1700147621
Edition: cre
Level: 1
Version: 2.3.0b1
The mouse interaction (zooming, scrolling etc.) for graphs in dashboards only worked sporadically
and at seemingly random points.