ID: 15447
Title: SAML: global settings default user profile overwrites manual configuration
Component: setup
Level: 1
Class: Bug fix
Version: 2.3.0b1
When a user attribute was *not* mapped via SAML, the default user profile,
which is configured in the global settings (Global settings -> User management
-> Default user profile), would overwrite any manual configuration done for
this user. This has been fixed. User profiles are now created/updated with the
following priority:
1. SAML attributes (if configured)
2. Manually selected attributes
3. Defaults
ID: 13976
Title: Fields with autocompletion will not also match on internal ids
Component: Multisite
Level: 1
Class: New feature
Version: 2.3.0b1
UI fields that offer autocompletion of values will now also match against the internal ids of these values.
ID: 15069
Title: Fix Email HTML Injection
Component: Notifications
Level: 1
Class: Security fix
Version: 2.3.0b1
Previously an authenticated attacker with permissions to configure HTML notifications was able to inject HTML into E-Mails via <i>Insert HTML section between body and table</i>.
All versions up to 1.6. are subject to this vulnerability.
To detect previous exploitation of this vulnerability one can check <tt>etc/check_mk/conf.d/wato/notifications.mk</tt>. Search for <tt>insert_html_section</tt> and malicious HTML.
This vulnerability was found internally. We calculated a CVSS3.1 score of 4.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N and assigned CVE-2023-22288.
ID: 15280
Title: synology_disk: use diskRole to ignore "not initialized" warning
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
It's okay if a disk is not initialized (this is normally a warning) if the disk
is not used at all, a SSD-cache or a hot-spare.
Before all disks containing SSD or NVME in the disk model were assumed to be
caches.
ID: 15278
Title: synology_disk: read disk health status
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
A Failing disks would report a working file system (as the file system was
still readable) but still needs to be replaced.
The check was extended to also report disk health status which was
introduced with DSM 7.1.
Also split the summary, remove duplicated temperature text, and remove text
about temperature levels, as no temperature levels can be defined for this
service.
ID: 15418
Title: Agent bakery: Provide AIX tar.gz package in USTAR format
Component: agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
By default, the agent bakery packages the .tar.gz packages in PAX (POSIX.1-2001) format.
AIX only supports PAX format since AIX 7.3.1 (released Dev 2022), and expects USTAR (POSIX.1-1988) format by default.<br>
Hence, we now package AIX .tar.gz packages in USTAR format.
ID: 15419
Title: Windows agent: Run plugins/local checks using non-system account
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
This Werk addresses a regression that appeared with Werk #14871, which introduced stricter access rights for the Windows agent's ProgramData directory.
Windows agent plugins and local checks can be configured to run under a specific user or group, either by configuring the agent ruleset
<i>Run plugins and local checks using non-system account</i> or by editing the <tt>check_mk.user.yaml</tt> file appropriately.
Starting with Checkmk 2.1.0p15/the abovementioned Werk, plugins and local checks that are configured to run under a specific user failed to execute.<br>
The reason for this behavior was that, due to a preexisting bug, the Windows agent service then failed to set the proper access rights on the underlying files.<br>
With the stricter default access rights, the files were not accessible any longer.
This only affected plugins/local checks that are configured with the option <i>Run as User</i>, while the ones configured with <i>Run as local group</i> did succeed.
The abovementioned bug is now fixed, and plugins/local checks will resume to work as configured.
To apply this fix, you need to update/reinstall the Windows Agent once.
ID: 15255
Title: Fixed removal of persistent acknowledgements
Component: Multisite
Level: 2
Class: Bug fix
Version: 2.3.0b1
Due to a regression introduced in 2.1.0, it was not possible anymore to
remove the comment part of persistent acknowledgements via the GUI. This
has been fixed.
ID: 15429
Title: group_config: restrict name pattern for service-, contact-, host-group config
Component: REST API
Level: 1
Class: Bug fix
Version: 2.3.0b1
Prior to this werk, the user was allowed to specify any string for host group, service group
and contact group names. This behaviour differs from the UI and also the delete and get
endpoints. This werk unifies the restriction.