ID: 14959
Title: cmk-update-agent: Limit update interval
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The agent update interval (configurable in ruleset <i>Agent updater</i>) is now
limited to a maximum value of 30 days.
Existing rules with a higher interval will continue to work, but can't be
edited without adapting the value.
ID: 14946
Title: avoid unnecessary use of the password storage
Component: config
Level: 1
Class: Bug fix
Version: 2.2.0i1
In some cases this change may considerably increase
the speed of configuration generation.
SUP-11910
ID: 14776
Title: Add perf_data_count and metrics_count columns to status table
Component: Livestatus
Level: 1
Class: New feature
Version: 2.2.0i1
This adds 4 columns to the status table: perf_data_count, perf_data_count_rate,
metrics_count, and metrics_count_rate that represent the total number of performance
data and metrics handled by the core.
ID: 14775
Title: Add overflow counters to status table
Component: Livestatus
Level: 1
Class: New feature
Version: 2.2.0i1
This adds 6 columns to the status table in livestatus: carbon_overflows,
carbon_overflows_rate, influxdb_overflows, influxdb_overflows_rate,
rrdcached_overflows, and rrdcached_overflows_rate. These columns
display count of rate of data that could not be sent to their
respective connections.
ID: 14391
Title: Require password change for old password hashes
Component: Setup
Level: 1
Class: Security fix
Version: 2.2.0i1
Local users whose passwords are hashed with insecure hash functions in the htpasswd file will be required to change their passwords on their next UI login.
Users that authenticate via other mechanisms, such as LDAP, are not affected by this.
Starting from version 2.2, Checkmk will no longer support validating password hashes of deprecated and insecure hash algorithms.
In order to avoid situations where users are unable to log in (and require manually resetting their password by an administrator), users whose passwords are currently hashed with any of the affected hash algorithms will be required to set a new password.
A warning message including all affected usernames will be displayed to the administrator running the `omd update` command.
You can use this list to contact these users and selectively inform them that they will be required to change their password during their next UI login.
In case they do not change their password before Checkmk is upgraded to version 2.2, these users will not be able to log in anymore after the upgrade and an administrator will have to reset the password.
The following hash algorithms that are currently still supported are affected: des-crypt, MD5-crypt, Apr MD5-crypt.
Passwords hashed with sha256-crypt will not require resetting the password but will be updated automatically on the user's next login (see Werk #14390).
New passwords will be hashed with bcrypt.
Should you wish to manually change a user's password via the CLI, please be aware of the newly introduced `cmk-passwd` utility (see Werk #14389).
Even though this Werk is related to security, it does not fix any exploitable issue.
Hence, we assign a CVSS score of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
ID: 14390
Title: Automatically update deprectated password hashes
Component: Setup
Level: 1
Class: New feature
Version: 2.2.0i1
Deprecated hashes of user passwords stored in the htpasswd file will now be automatically updated to a more modern hash format when the respective user logs in.
Specifically, password hashes created with the sha256-crypt algorithm will be udpated to bcrypt hashes.
sha256-crypt hashes are still considered secure for password hashing.
However, we want to migrate all users' password hashes to the more modern bcrypt algorithm.
For users whose passwords are hashed with sha256-crypt we can do so automatically in the background when they authenticate successfully.
Older and less secure password hashes, such as MD5, are not updated automatically.
ID: 14818
Title: Ceph OSDs checkplugin now uses the warning threshold
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The Chep OSDs check plugin ignored the warning thresholds for OSDs out and OSDs down.
This has beed fixed now.
ID: 14632
Title: mrpe: Check plugin no longer crashes when information is not available in the agent section
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The check plugin used to crash if no further information about a service was not available.
This has now been fixed, and if no further information is available, the check summary will be appropriate.
ID: 14897
Title: Fix audit log entry for removed vanished services
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
If a vanished service was removed on the service discovery page, the audit log
showed an entry like "Item "Foo" added.".
ID: 14898
Title: Fix Apache port configuration on "omd cp" command
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0i1
Since version 2.1.0p7 and werk #14281 the Apache port of the source site was
used for the new site while using "omd cp" command.
As a workaround you could execute 'omd update-apache-config [site]' to fix the
issue after the 'omd cp' command.