<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>
* * * Release notes for Xymon 4.3.26 * * *
<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>
This documents the important changes between Xymon releases, i.e.
changes you should be aware of when upgrading.
For a full list of changes and enhancements, please see the
Changes file.
Changes for 4.3.26
==================
This is mostly a bug fix release for javascript issues on the info and
trends pages, along with the enable / disable CGI. Several browsers had
difficulty with the new CSP rules introduced in 4.3.25.
XYMWEBREFRESH is now used as the default refresh interval for dynamic
status pages and various other xymongen destinations. Non-svcstatus
pages can be overridden by altering the appropriate *_header template
files, but svcstatus refresh interval uses this value. (default: 60s)
Set in xymonserver.cfg(5).
Incoming test names are now restricted to alphanumeric characters, colons
dashes, underscores, and slashes. Slashes and colons may be restricted in
a future release.
Unconfigured (ghost) host names are now restricted to alphanumerics, colons,
commas, periods, dashes, and underscores. It is strongly recommended to use only
valid hostnames and DNS components in servers names.
Files matched multiple times by logfetch in the client config retrieved
from config-local.cfg (such as a file matching multiple globs) will now only
be scanned once and only use the ignore/trigger rules from its first entry.
(Note: A future version of Xymon may combine all matching rules for a file together.)
CLASS groupings in analysis.cfg and alerts.cfg will now reliably work for
hosts with a CLASS override in hosts.cfg. Previous, this class was not used
in favor of the class type sent in on any specific client message.
Changes for 4.3.25
==================
Several security issues have been resolved relating to "config" messages
and Cross-Site-Scripting vulnerabilities in the web interface. We would
like to thank Markus Krell for reporting the following security issues
and for his assistance in working with us to resolve them.
(CVE-2016-2054) - Buffer overflow when handling "config" file requests.
(CVE-2016-2056) - Shell command injection vulnerability in useradm.sh
and chpasswd.sh.
(CVE-2016-2055) - Credential leakage with "config" file requests.
The default suggested location for htpasswd files used in securing the
CGI interface had been $XYMONHOME/etc/ and documentation did not mention
that this file should ONLY be readable by the apache/webserver user.
Administrators should verify this file is not readable by the xymon user
and modify ownership and permissions as needed. Additionally, the
following restrictions have been added to files requested via "config"
messages sent to xymond:
- They must be regular files as returned by stat (no symlinks)
- They must end in ".cfg"
The restriction on file names ending in ".cfg" can be overridden by setting
ALLOWALLCONFIGFILES="TRUE" in xymonserver.cfg and restarting xymond.
Note that config files are processed through normal xymon file reading,
so features such as "include" and "directory" still work when retrieving
files over the network. These included files are not subject to the same
restrictions.
(CVE-2016-2057) - The xymond feedback queue (or BFQ) had been being
created using insecure permissions, allowing any local user to write
messages into the queue. This has been resolved and the queue is now
created 0620 to the xymon user. If present xymond will attempt to
re-create it using the correct permissions, but this process may not
succeed on all OS's. Administrators should verify queue permissions
using ipcs and delete the key manually with ipcrm if needed.
(CVE-2016-2058) - Dynamic and historical status pages generated by the
CGI interface now include Content-Security-Policy headers to prevent
javascript execution from the payload of status messages themselves. The
built-in functionality can be overridden by setting XYMON_NOCSPHEADER in
xymonserver.cfg, if you wish to override this via an apache
configuration.
Additional changes:
A bug introduced in 4.3.22 that could cause xymond_alert to fail to
alert after seeing an unknown (newly added) host alert for the
first time has been fixed. Additionally, xymond_alert now regularly
reloads the hosts.cfg file to pick up changes.
The "Actual" memory value on Windows systems will be reported
more accurately. (Thanks, John Rothlisberger)
A trends_header and trends_footer have been added in the /web/
templates directory for use on trends display pages.
The xymonclient.cfg file now has a section for passing options
to xymond_client and logfetch without having to edit the script.
The logfetch command now accepts --noexec as an option to inhibit
running commands from the client config used to list files to scan
for messages.
The logfetch command can use a file glob(7) in client-local.cfg (or
localclient.cfg) indicated by angle brackets. This is more efficient
and more secure than executing an `ls` command when matching known
file or log patterns.
The xymon.sh script now better matches LSB exit code expectations.
The --processor argument to xymond_rrd, allowing RRD data (ie, metrics)
to be easily sent to an external system such as OpenTSDB has been
properly documented.
All users of previous versions are strongly urged to upgrade.
Changes for 4.3.24
==================
Fixes a bug introduced in 4.3.22 where the non-excepted HTTP status
codes were always seen as Critical instead of OK/Warning as intended.
All users are urged to upgrade.
Changes for 4.3.23
==================
Fixes a bug in 4.3.22 where RRD tracking of number of matching processes or
ports open on a client was not being performed.
>> For previous release notes, see the full file in the tarball <<
