ID: 15283
Title: solaris: Fix cleanup of temporary statgrab files
Component: agents
Level: 1
Class: Bug fix
Version: 2.1.0p27
Solaris Checkmk agent creates a temporary file /tmp/statgrab.XYZ where XYZ is
the process id. This file was not always cleaned up.
ID: 15284
Title: solaris: Add timeout to statgrab command
Component: agents
Level: 1
Class: Bug fix
Version: 2.1.0p27
When the executable "timeout" is available on the system the Checkmk agent is
executed, the statgrab command is executed with a 20 second timeout. It is
known that on certain systems, the "statgrab mem." command takes up to two
minutes.
ID: 13753
Title: Support Diagnostics: Collect dump only from local site
Component: setup
Level: 1
Class: Bug fix
Version: 2.2.0b5
Previously, it was possible to select a remote site in the Support Diagnostics UI, where the data was then copied from.
This worked in cases where the amount of data to be transferred was rather small. In other cases, it crashed regularly, or ran into timeouts,
because the transfer took too long.
Now, the Support Diagnostics can only be collected from the local site. To collect data from a remote site,
you have to enable the configuration via Setup on this site and log in locally.
ID: 15466
Title: autodiscovery: Show site changes made by Periodic service discovery
Component: Setup
Level: 2
Class: Bug fix
Version: 2.3.0b1
The werk is incompatible because it removes the 'cmk --discover-marked-hosts' command.
We consider this command an internal one. So it's likely that you don't not need to do anything.
However, if you need access to this command, please let us know.
Previously, if 'Periodic service discovery' was used with 'Automatically update service configuration'
enabled and 'Do not activate changes' activation option, the services would be discovered but
the change wasn't visible in 'Activate pending changes' or in the audit log.
This made it impossible to know whether there are any discovered changes that need to be activated
and what these changes are.
Now, when changes get automatically discovered but not activated, they appear in
'Activate pending changes' and the action is logged to the audit log.
In case of automatic discovery with activation, the action will be logged to the audit log.
ID: 15671
Title: SAML: use RSA-SHA256 to sign authentication requests
Component: setup
Level: 1
Class: New feature
Version: 2.3.0b1
Checkmk would sign its authentication requests with RSA-SHA512. However, some
identity providers (e.g. some versions of Microsoft ADFS) do not support any
signature algorithms beyond SHA256. As a result, the authentication requests
would be rejected with an error message similar to
"Error details: MSIS7093: The message is not signed with expected signature
algorithm. Message is signed with signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512. Expected signature algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256."
For this reason, Checkmk now uses RSA-SHA256 to sign its authentication
requests.
ID: 15190
Title: Allow agent registration using an IP address as hostname
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.1.0p27
IP addresses can now be used as hostnames again when registering new agents with the Agent Controller.
This fixes a regression that was introduced with Checkmk 2.1.0p12 / Werk #14385.
ID: 15560
Title: Drop support for Debian-9
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0b6
Checkmk won't be built anymore for Debian-9 (stretch) from 2.2.0 and upwards as Debian-9's LTS support ended on June 30, 2022:
https://wiki.debian.org/LTS
The support from our side was already dropped during the beta phase with <tt>2.2.0b5</tt>.
ID: 15189
Title: Don't log automation user credentials when generating performance graph diagnostics
Component: Reporting & Availability
Level: 1
Class: Security fix
Version: 2.1.0p27
Prior to this Werk, creating a Support Diagnostic report including the option "<b>Performance Graphs of Checkmk Server</b>" caused the automation secret of the user "automation" to be logged to the site Apache access log file (<tt>var/log/apache/access_log</tt>).
This affected both creating the diagnostic report via the GUI (<tt>Setup > Maintenance > Support diagnostics</tt>) and via the command line (<tt>cmk --create-diagnostics-dump --performance-graphs</tt>).
With this Werk the credentials are no longer written to the log file.
Note that no automatic sanitization of the log file is attempted by applying this patch.
This issue was discovered during internal review.
<b>Affected Versions</b>:
LI: 2.2.0 (beta)
LI: 2.1.0
LI: 2.0.0
<b>Mitigations</b>:
Users are advised to change the secret of the user "automation" via the User Management UI.
If this is not an option for you, delete or manually sanitize the Apache access log file and any backup of the file.
Remove any line that contains a <tt>POST</tt> to <tt><your site URL>/report.py?_username=automation&_secret=<...></tt>.
Refrain from using the affected functionality before applying this patch or manually sanitize the file afterwards.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 4.4 (Medium) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</tt>.
We have assigned CVE-2023-31207.
ID: 15393
Title: cisco_meraki_org_device_info: Add more information to HW/SW inventory
Component: HW/SW Inventory
Level: 1
Class: New feature
Version: 2.3.0b1
The following fields of a device are added:
<ul>
<li>Address</li>
<li>Product type (if available)</li>
<li>Organisation ID</li>
<li>Organisation name</li>
</ul>
ID: 15664
Title: <tt>inv_cisco_vlans</tt>: Fix <tt>'list' object has no attribute 'id_'</tt>
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
The inventory plugin <tt>inv_cisco_vlans</tt> crashed with
C+:
'list' object has no attribute 'id_'
C-:
This error was shown in the service output of the HW/SW inventory service of affected hosts.