ID: 13297
Title: Setup (WATO) now uses Redis for certain lookups to improve GUI performance
Component: Setup
Level: 2
Class: New feature
Version: 2.2.0i1
Large installations with several thousand hosts/folders suffered from a decreased performance
when navigating through the folder hierarchy or when displaying rulesets.
Furthermore, the global settings option <tt>Hide folders without read permissions</tt> made the
entire setup system virtually unusable for non-admin users.
Some of the data is now cached via Redis, which reduces needless calculations and file parsing.
ID: 13803
Title: KUBE: Parse Objects without labels
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Checkmk would previously fail to parse Kubernetes objects, if they had no labels. Affected
Objects were StatefulSets, DaemonSets and Namespaces. This werk fixes the crash.
ID: 13848
Title: check_sql: make --text option WATO configurable
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
The `--text` option is now WATO configurable.
It lets users prefix the output with an additional text.
ID: 13844
Title: mk_inventory.solaris: Respect the configration file
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
The inventory plugin for Solaris now respects the same configuration
file as the plugins for AIX and Linux.
ID: 13463
Title: check_mk_agent.linux check_mk_agent.openwrt: Add multipath section if no multipath.conf
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Until now, Linux and OpenWrt agents wouldn't write a multipath
section if there was no /etc/multipath.conf file.
Since the config file isn't mandatory, it would lead to multipath
devices not being discovered in inventory if default configuration
is used.
ID: 13464
Title: citrix_state.controller: Provide info on powered off machine
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
In case of an empty "controller" field, the message "Machine powered off"
is displayed.
ID: 13897
Title: Fix command injection vulnerability
Component: Notifications
Level: 2
Class: Security fix
Version: 2.2.0i1
Previously to this Werk an attacker who could control certain notification
variables such as <tt>NOTIFICATIONTYPE</tt> or <tt>HOSTNAME</tt> was able to
inject commands to the fall-back mail command. The commands were then executed
as site user.
With this werk the variable <tt>MAIL_COMMAND</tt> is no longer available in
notification scripts.
You can reduce the risk of exploitation with disabling the listening of the
notification spooler (the default is disabled) (CEE/CME only feature).
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable.
To detect possible exploitation <tt>var/log/mknotifyd.log</tt> and
<tt>var/log/notify.log</tt> can be checked for special shell characters like
<tt>&&</tt> and odd quoting.