[pkg-nagios-changes] [Git][nagios-team/nagvis][master] 4 commits: New upstream version 1.9.43

Bas Couwenberg (@sebastic) gitlab at salsa.debian.org
Fri Aug 30 16:24:28 BST 2024



Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / nagvis


Commits:
1cb99619 by Bas Couwenberg at 2024-08-30T17:11:07+02:00
New upstream version 1.9.43
- - - - -
c09c9e8f by Bas Couwenberg at 2024-08-30T17:11:12+02:00
Update upstream source from tag 'upstream/1.9.43'

Update to upstream version '1.9.43'
with Debian dir 76c9343b8e2d964eb727dc55485c93d60368f140
- - - - -
19ed49b6 by Bas Couwenberg at 2024-08-30T17:11:26+02:00
New upstream release.

- - - - -
6e011c98 by Bas Couwenberg at 2024-08-30T17:12:14+02:00
Set distribution to unstable.

- - - - -


14 changed files:

- ChangeLog
- debian/changelog
- docs/de_DE/about.html
- docs/de_DE/system_requirements.html
- docs/en_US/about.html
- docs/en_US/backend_mkbi.html
- docs/en_US/backend_mklivestatus.html
- docs/en_US/system_requirements.html
- share/server/core/classes/CoreLogonMultisite.php
- share/server/core/classes/GlobalBackendmklivestatus.php
- share/server/core/classes/GlobalMainCfg.php
- share/server/core/defines/global.php
- share/server/core/defines/matches.php
- share/userfiles/templates/default.header.html


Changes:

=====================================
ChangeLog
=====================================
@@ -1,14 +1,27 @@
+1.9.43
+Core:
+  * FIX: Fix error when entering correct proxy URLs with ports and proxy schemas.
+         Entering correct proxy URLS with ports and one of the following schemas
+         (tcp, udp, unix, udg, ssl, tls) would cause an error (Invalid format given)
+         even though these proxies are correct.
+
+Frontend:
+  * FIX: URLs still pointing to mathias-kettner.de documentation are now pointing to
+         the Checkmk documentation (docs.checkmk.com).
+  * FIX: Support forum links to no longer existing forum (monitoring-portal.org) are
+         now pointing to the Checkmk forum (forum.checkmk.com).
+
+Security
+  * Added cookie session timestamps validation when Nagvis is run within Checkmk
+
 1.9.42
 Security:
-  * FIX: Fix XSS in std_table.php gadget
-  * FIX: Fix XSS for malicious graph elements (CVSS core: 5.4)
-         CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+  * FIX: Fix various XSS issues (std_table.php gadget, malicious graph elements, service names and script outputs).
+         CVE is requested and will be added once available. (CVSS score 8.8)
+         CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
   * FIX: Fix potential RCE due to being able to upload and configure a malicious map as authorisation_multisite_file.
          You can no longer upload such maps and the maps path is excluded from the authorisation_multisite_file upload
-         path. (CVSS score 8.8)
-         CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
-  * FIX: Prevent XSS in NagVis for service names and script outputs (CVSS score: 5.4)
-         CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+         path.
   * FIX: Insecure password hashing algorithm for dedicated NagVis users (CVSS score: 5.1)
          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
   * FIX: Leak of installation path in error message


=====================================
debian/changelog
=====================================
@@ -1,9 +1,10 @@
-nagvis (1:1.9.42-2) UNRELEASED; urgency=medium
+nagvis (1:1.9.43-1) unstable; urgency=medium
 
   * Team upload.
+  * New upstream release.
   * Bump Standards-Version to 4.7.0, no changes.
 
- -- Bas Couwenberg <sebastic at debian.org>  Sun, 28 Jul 2024 20:12:30 +0200
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 30 Aug 2024 17:12:06 +0200
 
 nagvis (1:1.9.42-1) unstable; urgency=medium
 


=====================================
docs/de_DE/about.html
=====================================
@@ -33,7 +33,7 @@
         <p>NagVis ist ein Präsentationswerkzeug für die Informationen, die von Nagios gesammelt und mit Hilfe eines Backends zur Verfügung gestellt werden.
         <p>Die unterstützten Backends sind:</p>
         <ul>
-            <li><a href="http://mathias-kettner.de/checkmk_livestatus.html">mklivestatus</a> (Default seit NagVis 1.5)</li>
+            <li><a href="https://docs.checkmk.com/latest/en/livestatus.html">mklivestatus</a> (Default seit NagVis 1.5)</li>
             <li><a href="http://www.nagios.org/download/addons">NDOUtils</a> / <a href="http://docs.icinga.org/latest/en/ch12">IDOUtils</a> (erfordert MySQL)</li>
             <li><a href="https://github.com/ITRS-Group/monitor-merlin">merlin</a> (erfordert MySQL)</li>
         </ul>


=====================================
docs/de_DE/system_requirements.html
=====================================
@@ -24,7 +24,7 @@
     <p>Seit NagVis 1.5 ist MKLivestatus das Default-Backend, weil es viel schneller, leichtgewichtiger und stabiler als NDO ist.
         Außerdem ist es einfacher zu handhaben und zu installieren. Sie benötigen keine Datenbank für MKLivestatus.</p>
     <p>MKLivestatus ist ein Eventbroker-Modul für Nagios, das einen Unix-Socket versorgt, mit dem sich Addons wie NagVis verbinden können, um aktuelle Statusinformationen abzufragen.</p>
-    <p>MKLivestatus bekommen Sie auf der <a href=http://www.mathias-kettner.de/checkmk_livestatus.html>offiziellen MKLivestatus-Homepage</a>.
+    <p>MKLivestatus bekommen Sie auf der <a href=https://docs.checkmk.com/latest/en/livestatus.html>offiziellen MKLivestatus-Homepage</a>.
     
     <h2>Webserver mit PHP-Unterstützung</h2>
     NagVis ist eine webbasierte Applikation, die in JavaScript und PHP realisiert ist.


=====================================
docs/en_US/about.html
=====================================
@@ -23,13 +23,13 @@
     <a name="howworks"></a>
     <h2>How does NagVis work?</h2>
         <p>In general NagVis is a presentation tool for the information which is gathered by Nagios and transferred using backends. 
-        <p>The supported backends are:</p>
-        <ul>
-        <li><a href="http://mathias-kettner.de/checkmk_livestatus.html">mklivestatus</a> (default since NagVis 1.5)</li>
-        <li><a href="http://www.nagios.org/download/addons">NDOUtils</a> / <a href="http://docs.icinga.org/latest/en/ch12">IDOUtils</a> (requires MySQL)</li>
-        <li><a href="https://github.com/ITRS-Group/monitor-merlin">merlin</a> (requires MySQL)</li>
-        </ul>
-        The backend gets the information from the Nagios process (mklivestatus) or from a database (NDOUtils/IDOUtils, merlin).
+        <p>The supported backends are:</p>
+        <ul>
+        <li><a href="https://docs.checkmk.com/latest/en/livestatus.html">mklivestatus</a> (default since NagVis 1.5)</li>
+        <li><a href="http://www.nagios.org/download/addons">NDOUtils</a> / <a href="http://docs.icinga.org/latest/en/ch12">IDOUtils</a> (requires MySQL)</li>
+        <li><a href="https://github.com/ITRS-Group/monitor-merlin">merlin</a> (requires MySQL)</li>
+        </ul>
+        The backend gets the information from the Nagios process (mklivestatus) or from a database (NDOUtils/IDOUtils, merlin).
         <p>You can place all objects from Nagios (Host, Services, Hostgroups, Servicegroups) on so called maps. Each map can be configured through its own
         <a href="map_config_format_description.html">configuration file</a>. You can edit the configuration files directly by using your favourite text editor 
         or the web configuration mechanisms. Furthermore you can add some special NagVis objects to the maps. These objects are shapes, textboxes and 
@@ -40,12 +40,12 @@
         for each object. Hover menus can easily be modified by changing the <a href="hover_templates.html">templates</a> for them. You can also disable the hover menu.<br> 
         By default the state of the objects is displayed using icons on the map. You can change these icons by adding <a href="extending/iconsets.html">iconsets</a> from the NagVis 
         homepage or create your own. The state of the objects can also be displayed as lines or as <a href="gadgets.html">gadgets</a>.</p>
-
-        <p>Apart from the normal maps there is an <a href="automap.html">automap</a>. The objects are places automatically starting from the root host you specified. Depending on the value of the directice "filter_by_state" it will show all objects or only the ones in a non-OK state (including the way from the root object).<br>
-        To be able to use the automap you have to define the parents directives in your Nagios host objects.<br>
-
-        Starting with NagVis 1.5 you can define more than one automap.</p>
-
+
+        <p>Apart from the normal maps there is an <a href="automap.html">automap</a>. The objects are places automatically starting from the root host you specified. Depending on the value of the directice "filter_by_state" it will show all objects or only the ones in a non-OK state (including the way from the root object).<br>
+        To be able to use the automap you have to define the parents directives in your Nagios host objects.<br>
+
+        Starting with NagVis 1.5 you can define more than one automap.</p>
+
     <a name="licensing"></a>
     <h2>Licensing</h2>
         <p>NagVis is free software; you can redistribute it and/or modify it under the terms of the <a href="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html">GNU General Public License version 2</a> as published by the <a href="www.fsf.org">Free Software Foundation</a>.</p>


=====================================
docs/en_US/backend_mkbi.html
=====================================
@@ -7,7 +7,7 @@
  <body>
     <h1>Check_MK Business Intelligence Backend</h1>
     <p>The Check_MK Business Intelligence (BI) Backend is used to connect NagVis directly with the
-       aggregations configured within <a href="http://mathias-kettner.de/checkmk_bi.html" target="_blank">Check_MK BI</a>.</p>
+       aggregations configured within <a href="https://docs.checkmk.com/latest/en/bi.html" target="_blank">Check_MK BI</a>.</p>
 
     <h2>The Check_MK BI API</h2>
     <p>Check_MK BI offers a webservice which is called by HTTP GET requests and


=====================================
docs/en_US/backend_mklivestatus.html
=====================================
@@ -13,7 +13,7 @@
              than the NDO, Livestatus does not actively write out data e.g. to the disk.
              Instead, it opens a socket for external applications to connect to and fetches
              the current status information from Nagios. For details about the new data
-             access provider take a look at the <a href="http://www.mathias-kettner.de/checkmk_livestatus.html#H1:How to access Nagios status data" target="_blank">official documentation</a>.</p>
+             access provider take a look at the <a href="https://docs.checkmk.com/latest/en/livestatus.html" target="_blank">official documentation</a>.</p>
         <p>Since the first NagVis 1.5 release the mklivestatus backend is included on
              delivery. It performs much better than all other existing backends and
              comes with less overhead than other backends. No additional database is


=====================================
docs/en_US/system_requirements.html
=====================================
@@ -19,7 +19,7 @@
         <p>MKLivestatus is an Event Broker Module for Nagios which serves a unix socket
             where third party addons like NagVis can connect to for gathering live status
             information in a very fast way.</p>
-        <p>You can get MKLivestatus from the <a href="http://www.mathias-kettner.de/checkmk_livestatus.html" target="_blank">official MKLivestatus Homepage</a>.</p>
+        <p>You can get MKLivestatus from the <a href="https://docs.checkmk.com/latest/en/livestatus.html" target="_blank">official MKLivestatus Homepage</a>.</p>
         
         <h2>Webserver with PHP support</h2>
         <p>NagVis is a web based application realised in Javascript and PHP. You need a webserver with PHP support to run NagVis. We recommend the usage of <a href="http://www.apache.org/" target="_blank">Apache Webserver</a> with <a href="http://www.apache.net/" target="_blank">mod_php</a>.</p>


=====================================
share/server/core/classes/CoreLogonMultisite.php
=====================================
@@ -135,6 +135,31 @@ class CoreLogonMultisite extends CoreLogonModule {
             throw new Exception();
         }
 
+        // Check session periods validity
+        $site = cfg('defaults', 'backend')[0];
+        $baseUrl = cfg('backend_' . $site . '_bi', 'base_url');
+        $headers = [
+            'Content-type: application/json',
+            'Accept: application/json',
+            "Cookie: $cookieName=$cookieValue",
+        ];
+
+        $url = $baseUrl . 'api/1.0/version';
+
+        $contextOptions = [
+            'http' => [
+                'method' => 'GET',
+                'header' => implode("\r\n", $headers),
+            ]
+        ];
+
+        $context = stream_context_create($contextOptions);
+        $result = file_get_contents($url, false, $context);
+        if ($result === false) {
+            throw new Exception();
+        }
+        
+
         return $username;
     }
 


=====================================
share/server/core/classes/GlobalBackendmklivestatus.php
=====================================
@@ -5,7 +5,7 @@
  *
  * Backend class for handling object and state information using the
  * livestatus NEB module. For mor information about CheckMK's Livestatus
- * Module please visit: http://mathias-kettner.de/checkmk_livestatus.html
+ * Module please visit: https://docs.checkmk.com/latest/en/livestatus.html
  *
  * Copyright (c) 2010 NagVis Project  (Contact: info at nagvis.org),
  *                    Mathias Kettner (Contact: mk at mathias-kettner.de)
@@ -32,7 +32,7 @@
  * @author  Lars Michelsen  <lm at larsmichelsen.com>
  *
  * For mor information about CheckMK's Livestatus Module
- * please visit: http://mathias-kettner.de/checkmk_livestatus.html
+ * please visit: https://docs.checkmk.com/latest/en/livestatus.html
  */
 class GlobalBackendmklivestatus implements GlobalBackendInterface {
     private $backendId = '';


=====================================
share/server/core/classes/GlobalMainCfg.php
=====================================
@@ -179,7 +179,7 @@ class GlobalMainCfg {
                 'http_proxy' => array(
                     'must'    => 0,
                     'default' => null,
-                    'match'   => MATCH_STRING_URL,
+                    'match'   => MATCH_STRING_PROXY,
                 ),
                 'http_proxy_auth' => array(
                     'must'    => 0,


=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
  *****************************************************************************/
  
 // NagVis Version
-define('CONST_VERSION', '1.9.42');
+define('CONST_VERSION', '1.9.43');
 
 // Set PHP error handling to standard level
 // Different levels for php versions below 5.1 because PHP 5.1 reports


=====================================
share/server/core/defines/matches.php
=====================================
@@ -40,8 +40,11 @@ define('DISALLOWED_AUTHORISATION_PATHS', '(.*etc\/nagvis\/maps\/.*)');
 define('MATCH_STRING_PATH', '/^[0-9a-z\s_.\-\/\\\]+$/i');
 define('MATCH_STRING_PATH_AUTHORISATION', '/^(?!' . DISALLOWED_AUTHORISATION_PATHS . ')[0-9a-z\s_.\-\/\\\]+$/i');
 define('MATCH_ALLOWED_URL_SCHEMES', '(http|https)');
-define('MATCH_STRING_URL', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~\{\}]+$/i');
-define('MATCH_STRING_URL_EMPTY', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~]*$/i');
+define('MATCH_ALLOWED_PROXY_SCHEMES', '(tcp|udp|unix|udg|ssl|tls)');
+define('MATCH_PORT', '(?::[0-9]+)?');
+define('MATCH_STRING_PROXY', '/^(?:' . MATCH_ALLOWED_PROXY_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~\{\}:]+' . MATCH_PORT . '$/i');
+define('MATCH_STRING_URL', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~\{\}:]+' . MATCH_PORT . '$/i');
+define('MATCH_STRING_URL_EMPTY', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~:]*' . MATCH_PORT . '$/i');
 define('MATCH_GADGET_OPT', '/^[0-9a-z\s:+[\]()_.,\-&?!#@=\/\\\%]+$/i');
 define('MATCH_STRING_STYLE', '/^[0-9a-z:;\-+%#(),.]*$/i');
 define('MATCH_COORDS',       '/^(?:(?:[0-9]+)|([a-z0-9]+(?:%[+-][0-9]+)?))$/');


=====================================
share/userfiles/templates/default.header.html
=====================================
@@ -152,7 +152,7 @@
         <span id="support-ddheader" onclick="ddMenuToggle(event, 'support')">{$langNeedHelp}</span>
         <ul id="support-ddcontent">
             <li><a target="_blank" href="{$pathBase}/docs/{$docLanguage}/index.html">{$langOnlineDoc}</a></li>
-            <li><a target="_blank" href="https://www.monitoring-portal.org/woltlab/index.php?board/42-nagvis/">{$langForum}</a></li>
+            <li><a target="_blank" href="https://forum.checkmk.com/">{$langForum}</a></li>
             <li><a target="_blank" href="{$pathBase}/frontend/nagvis-js/index.php?mod=Info" class="underline">{$langSupportInfo}</a></li>
         </ul>
     </li>



View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/compare/4af232c6f7a468103ac87e6bc758de659951019e...6e011c983a5b0bfe0b3108ff58d268e3ec13e3ef

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/compare/4af232c6f7a468103ac87e6bc758de659951019e...6e011c983a5b0bfe0b3108ff58d268e3ec13e3ef
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20240830/1fcc6fb3/attachment-0001.htm>


More information about the pkg-nagios-changes mailing list