ID: 14111
Title: Dynamic host management: Fix MKAPIError
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
If the global option "Connection to the Web API" was changed, the error
"MKAPIError: {"title": "You need to be authenticated to use the REST API.",
"status": 401}" occurred.
ID: 14112
Title: Fix non functional "Show all results" button in monitoring search
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
Even if used, the same mount of search results was shown.
ID: 14109
Title: SLA: Fix reclassifying states to OK
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
If you reclassified host or service states to OK, the change had no effect.
ID: 14142
Title: mk_zypper: Missing data in agent output
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The mk_zypper agent plugin would not output the necessary data
needed for the check plugin.
ID: 14089
Title: Checkmk agent TLS encryption and compression
Component: Checks & agents
Level: 2
Class: New feature
Version: 2.2.0i1
In Checkmk version 2.1 the monitoring data sent from the monitored host to the monitoring server is TLS encrypted and compressed by default.
This is realized by a new component on the monitored hosts:
The Checkmk agent controller <tt>cmk-agent-ctl</tt>.
The added executable is called <tt>cmk-agent-ctl</tt>.
On Linux systems, the agent controller will be run as a dedicated user <i>cmk-agent</i>, which is added during installation.
As a result the process listening on the TCP port will have limited privileges, and the agent output is not available to any other local user.
While upgraded setups will continue to work as before, in order to enable TLS encryption an additional registration step is required.
More information on the registration step, the installation and the provided commands can be found <a href="https://docs.checkmk.com/master/en/agent_linux.html">in our online documentation</a>.
ID: 13902
Title: Secure path for OMD hooks
Component: OMD
Level: 1
Class: Security fix
Version: 2.2.0i1
OMD executes several hooks to determine configuration options (e.g. which port
to use for the site apache). These hooks are version dependent, so OMD executed
these hooks via a symlink in the site to get the hooks matching the version of
the site.
The symlinks belong to the site user in order to be able to update
the version. Since a <i>OMD status</i> executes those hooks as root, it was
possible for a site user to create a malicious hook and execute code as root.
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable.
CVE will be added later here.
CVSS: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 8.2
We thank Timo Klecker for reporting this issue!
ID: 14110
Title: Fix using macros in sub directory option of scheduler entries
Component: Reporting & Availability
Level: 1
Class: Bug fix
Version: 2.2.0i1
If you used macros in option "Store in sub directory" of report scheduler
entries, the error "General Options: Please specify a relative path only using
a-z, 0-9, -, _, and ." occurred.
ID: 13649
Title: Dynamic host management: Do not fail to start on missing automation user
Component: Dynamic host configuration
Level: 1
Class: Bug fix
Version: 2.2.0i1
In some sites the 'automation' user might be missing. Even if the dynamic host
management was not configured, this made the DCD fail to start. Leading to
partially started sites.
This change restores the behavior of the 2.0.