ID: 1035
Title: Do not fail on errors in *.mk files anymore - except in interactive mode
Component: Core & Setup
Level: 2
Class: Bug Fix
Version: 1.2.5i5
If a syntax error in <tt>main.mk</tt> or other <tt>*.mk</tt> files occurs,
Check_MK used to abort any operation. This is nasty when for example a new
variable that has been introduced in a new version is not known in an older
version of Check_MK and thus after a version downgrade the configuration
cannot be activated any more.
The behaviour has now changed so that in case of such an error Check_MK will only
abort in <i>interactive</i> mode, i.e. if the standard output is a terminal.
That means that WATO will always try to activate Changes. You can force the
old behaviour by adding the new option <tt>--interactive</tt>.
ID: 0946
Title: hw/sw inventory: fixed display bug for byte fields with the value 0
Component: HW/SW-Inventory
Level: 2
Class: Bug Fix
Version: 1.2.5i5
There was an exception for fields represented in bytes when the value was set to 0.
ID: 1013
Title: Sort host names naturally, e.g. foobar11 comes after foobar2
Component: Multisite
Level: 2
Class: New Feature
Version: 1.2.5i5
Hostnames are now sorted naturally. That means that sequences of numbers
are being interpreted as numbers. This also works for host names that
have the form of an IPv4 address, e.g. <tt>10.1.1.5</tt> is now correctly
sorted before <tt>10.1.1.11</tt> and <tt>srv17_3</tt> comes before <tt>src17_108</tt>.
This new sorting is implemented in the status GUI and also in WATO.
ID: 1012
Title: Fix quoting of \ in custom checks with nagios core
Component: Core & Setup
Level: 2
Class: Incompatible Change
Version: 1.2.5i5
When you are using Nagios as montitoring core then backslashes contained
in <tt>custom_checks</tt> (Classical active and passive Nagios checks) would
be interpreted by Nagios. That way single backslashes would usually vanish
und you would have to duplicate them.
The Check_MK Micro Core never interpreted these backslashes so it was
transparent for the user.
This fix changes the behaviour of Check_MK in a way that also with the
Nagios core you need only one backslash. Backslashes are transparent
now.
<b>NOTE</b>: If you have custom checks that contain backslashes (for
example as part of names or passwords) then you need to remove
duplicate backslashes after this update!
ID: 0944
Title: oracle_tablespaces: fixed calculation of space left and number of remaining increments
Component: Checks & Agents
Level: 2
Class: Bug Fix
Version: 1.2.5i5
The remaining increments and space left was not correctly calculated when the
remaining memory space was not a multiple of the increment size.<br>
For example:<br>
C+:
Tablespace
900 MB used
100 MB free space for autoincrement
200 MB increment size
C-:
The previous version calculated 900 MB as maximum size, because the increment size was greater
than the remaining autoincrement space. This was wrong. The last increment also uses the remaining
space, even if the remaining size is smaller than the increment size.<br><br>
As a result, this fix actually increases the amount of available free space,
so it should not have any negative side effects for already configured limits.
ID: 0943
Title: if.include: fixed incorrect traffic percentage values in the check output of if checks
Component: Checks & Agents
Level: 2
Class: Bug Fix
Version: 1.2.5i5
There was a display bug in the traffic percentages. The value was off by factor 8.<br>
This bug didn't cause wrong check results or performance data values, just a visual glitch.
ID: 0984
Title: Fix code injection for logged in users via automation url
Component: WATO
Level: 2
Class: Incompatible Change
Version: 1.2.5i4
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
<i>The check_mk applications uses insecure API calls, which allow an attacker
to execute arbitrary code on the server by issuing just a single URL. The
reason for this is the usage of the insecure "pickle" API call. Apparently
this was modified as a security means from a former version, which used
"eval"-like structures with untrusted input data. Anyhow, as the python API
documentation clearly state, "pickle" should be considered unsafe as well,
see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately
this module is not available on Centos/RedHat 5.X and Debian 5. On these
systems WATO still uses <tt>pickle</tt>, even with this fix.
<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.
ID: 0983
Title: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i4
The fixed weakness was:
The check_mk application does allow an attacker to write check_mk config files
(.mk files) on arbitrary locations on the server filesystem.