ID: 0982
Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i4
This fixes the following issue:
The check_mk application is susceptible to reflected XSS attacks. This is
mainly the result of inproper output encoding. Reflected XSS can be triggered
by sending a malicious URL to a user of the check_mk application. Once the
XSS attack is triggered, the attacker has access to the full check_mk (and
nagios) application with the access rights of the logged in victim.
The fix applies to the function:
htmllib.py: render_status_icons()
actions.py: ajax_action()
ID: 1002
Title: Fix crash when debugging notifications with non-Ascii characters
Component: Notifications
Level: 2
Class: Bug Fix
Version: 1.2.5i4
When full notification debugging was enabled then notifications with
a non-Ascii character would raise an exception and not be sent.
ID: 0940
Title: Fixed various core SIGSEGV when using malformed livestatus queries
Component: Core & Setup
Level: 2
Class: Security Fix
Version: 1.2.5i4
Some malformed livestatus queries could crash the monitoring core.
This happened whenever the value field for certain keys was missing.<br>
For example
C+:
lq "GET hosts\nColumnHeaders:\n"
lq "GET hosts\nAnd:\n"
lq "GET hosts\nKeepalive:\n
C-:
ID: 0621
Title: zfsget: better filesystem selection and calculation of sizes
Component: Checks & Agents
Level: 2
Class: Bug Fix
Version: 1.2.5i4
zfsget now only inventorizes filesystems of type "filesystem".
If a mountpoint is present several times in the zfsget section of the agent
data (with different device name), and also in the df section, the entry
in the zfsget section with the device name from the df section is taken for
calculating the data.
ID: 0620
Title: new version of Check_MKs hardware and software inventory including a much extended windows agent and inventory functions
Component: HW/SW-Inventory
Level: 2
Class: New Feature
Version: 1.2.5i4
ID: 0816
Title: States of events can now be set by patterns
Component: Event Console
Level: 2
Class: New Feature
Version: 1.2.5i4
The states of events created by a rule can now be set by regex patterns. A rule can now
create events with different states. The mechanism is as follows:
1. The "text to match" patterns needs to match a message
2. When a rule has configured "(set by message text)" as state, and patterns are defined
for the single states, the message will be matches agains these patterns to calculate
the state of the event.
3. When none of these patterns matches, the event is set to UNKNOWN
ID: 0987
Title: New button for updating DNS cache
Component: WATO
Level: 2
Class: New Feature
Version: 1.2.5i4
In the host details page in WATO there is now a new button <i>Update DNS Cache</i>. If you
press this button, then all cached IP addresses of hosts on the same site as the host currently
edited are being updated.
Use this button when you have not specified an explicit address for a host and that host's
IP address has been changed in your DNS (and you are not willing to wait for the next
regular update).