[pkg-nagios-changes] [Git][nagios-team/nagvis][upstream] New upstream version 1.9.43
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Fri Aug 30 16:24:41 BST 2024
Bas Couwenberg pushed to branch upstream at Debian Nagios Maintainer Group / nagvis
Commits:
1cb99619 by Bas Couwenberg at 2024-08-30T17:11:07+02:00
New upstream version 1.9.43
- - - - -
13 changed files:
- ChangeLog
- docs/de_DE/about.html
- docs/de_DE/system_requirements.html
- docs/en_US/about.html
- docs/en_US/backend_mkbi.html
- docs/en_US/backend_mklivestatus.html
- docs/en_US/system_requirements.html
- share/server/core/classes/CoreLogonMultisite.php
- share/server/core/classes/GlobalBackendmklivestatus.php
- share/server/core/classes/GlobalMainCfg.php
- share/server/core/defines/global.php
- share/server/core/defines/matches.php
- share/userfiles/templates/default.header.html
Changes:
=====================================
ChangeLog
=====================================
@@ -1,14 +1,27 @@
+1.9.43
+Core:
+ * FIX: Fix error when entering correct proxy URLs with ports and proxy schemas.
+ Entering correct proxy URLS with ports and one of the following schemas
+ (tcp, udp, unix, udg, ssl, tls) would cause an error (Invalid format given)
+ even though these proxies are correct.
+
+Frontend:
+ * FIX: URLs still pointing to mathias-kettner.de documentation are now pointing to
+ the Checkmk documentation (docs.checkmk.com).
+ * FIX: Support forum links to no longer existing forum (monitoring-portal.org) are
+ now pointing to the Checkmk forum (forum.checkmk.com).
+
+Security
+ * Added cookie session timestamps validation when Nagvis is run within Checkmk
+
1.9.42
Security:
- * FIX: Fix XSS in std_table.php gadget
- * FIX: Fix XSS for malicious graph elements (CVSS core: 5.4)
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ * FIX: Fix various XSS issues (std_table.php gadget, malicious graph elements, service names and script outputs).
+ CVE is requested and will be added once available. (CVSS score 8.8)
+ CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* FIX: Fix potential RCE due to being able to upload and configure a malicious map as authorisation_multisite_file.
You can no longer upload such maps and the maps path is excluded from the authorisation_multisite_file upload
- path. (CVSS score 8.8)
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- * FIX: Prevent XSS in NagVis for service names and script outputs (CVSS score: 5.4)
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ path.
* FIX: Insecure password hashing algorithm for dedicated NagVis users (CVSS score: 5.1)
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* FIX: Leak of installation path in error message
=====================================
docs/de_DE/about.html
=====================================
@@ -33,7 +33,7 @@
<p>NagVis ist ein Präsentationswerkzeug für die Informationen, die von Nagios gesammelt und mit Hilfe eines Backends zur Verfügung gestellt werden.
<p>Die unterstützten Backends sind:</p>
<ul>
- <li><a href="http://mathias-kettner.de/checkmk_livestatus.html">mklivestatus</a> (Default seit NagVis 1.5)</li>
+ <li><a href="https://docs.checkmk.com/latest/en/livestatus.html">mklivestatus</a> (Default seit NagVis 1.5)</li>
<li><a href="http://www.nagios.org/download/addons">NDOUtils</a> / <a href="http://docs.icinga.org/latest/en/ch12">IDOUtils</a> (erfordert MySQL)</li>
<li><a href="https://github.com/ITRS-Group/monitor-merlin">merlin</a> (erfordert MySQL)</li>
</ul>
=====================================
docs/de_DE/system_requirements.html
=====================================
@@ -24,7 +24,7 @@
<p>Seit NagVis 1.5 ist MKLivestatus das Default-Backend, weil es viel schneller, leichtgewichtiger und stabiler als NDO ist.
Außerdem ist es einfacher zu handhaben und zu installieren. Sie benötigen keine Datenbank für MKLivestatus.</p>
<p>MKLivestatus ist ein Eventbroker-Modul für Nagios, das einen Unix-Socket versorgt, mit dem sich Addons wie NagVis verbinden können, um aktuelle Statusinformationen abzufragen.</p>
- <p>MKLivestatus bekommen Sie auf der <a href=http://www.mathias-kettner.de/checkmk_livestatus.html>offiziellen MKLivestatus-Homepage</a>.
+ <p>MKLivestatus bekommen Sie auf der <a href=https://docs.checkmk.com/latest/en/livestatus.html>offiziellen MKLivestatus-Homepage</a>.
<h2>Webserver mit PHP-Unterstützung</h2>
NagVis ist eine webbasierte Applikation, die in JavaScript und PHP realisiert ist.
=====================================
docs/en_US/about.html
=====================================
@@ -23,13 +23,13 @@
<a name="howworks"></a>
<h2>How does NagVis work?</h2>
<p>In general NagVis is a presentation tool for the information which is gathered by Nagios and transferred using backends.
- <p>The supported backends are:</p>
- <ul>
- <li><a href="http://mathias-kettner.de/checkmk_livestatus.html">mklivestatus</a> (default since NagVis 1.5)</li>
- <li><a href="http://www.nagios.org/download/addons">NDOUtils</a> / <a href="http://docs.icinga.org/latest/en/ch12">IDOUtils</a> (requires MySQL)</li>
- <li><a href="https://github.com/ITRS-Group/monitor-merlin">merlin</a> (requires MySQL)</li>
- </ul>
- The backend gets the information from the Nagios process (mklivestatus) or from a database (NDOUtils/IDOUtils, merlin).
+ <p>The supported backends are:</p>
+ <ul>
+ <li><a href="https://docs.checkmk.com/latest/en/livestatus.html">mklivestatus</a> (default since NagVis 1.5)</li>
+ <li><a href="http://www.nagios.org/download/addons">NDOUtils</a> / <a href="http://docs.icinga.org/latest/en/ch12">IDOUtils</a> (requires MySQL)</li>
+ <li><a href="https://github.com/ITRS-Group/monitor-merlin">merlin</a> (requires MySQL)</li>
+ </ul>
+ The backend gets the information from the Nagios process (mklivestatus) or from a database (NDOUtils/IDOUtils, merlin).
<p>You can place all objects from Nagios (Host, Services, Hostgroups, Servicegroups) on so called maps. Each map can be configured through its own
<a href="map_config_format_description.html">configuration file</a>. You can edit the configuration files directly by using your favourite text editor
or the web configuration mechanisms. Furthermore you can add some special NagVis objects to the maps. These objects are shapes, textboxes and
@@ -40,12 +40,12 @@
for each object. Hover menus can easily be modified by changing the <a href="hover_templates.html">templates</a> for them. You can also disable the hover menu.<br>
By default the state of the objects is displayed using icons on the map. You can change these icons by adding <a href="extending/iconsets.html">iconsets</a> from the NagVis
homepage or create your own. The state of the objects can also be displayed as lines or as <a href="gadgets.html">gadgets</a>.</p>
-
- <p>Apart from the normal maps there is an <a href="automap.html">automap</a>. The objects are places automatically starting from the root host you specified. Depending on the value of the directice "filter_by_state" it will show all objects or only the ones in a non-OK state (including the way from the root object).<br>
- To be able to use the automap you have to define the parents directives in your Nagios host objects.<br>
-
- Starting with NagVis 1.5 you can define more than one automap.</p>
-
+
+ <p>Apart from the normal maps there is an <a href="automap.html">automap</a>. The objects are places automatically starting from the root host you specified. Depending on the value of the directice "filter_by_state" it will show all objects or only the ones in a non-OK state (including the way from the root object).<br>
+ To be able to use the automap you have to define the parents directives in your Nagios host objects.<br>
+
+ Starting with NagVis 1.5 you can define more than one automap.</p>
+
<a name="licensing"></a>
<h2>Licensing</h2>
<p>NagVis is free software; you can redistribute it and/or modify it under the terms of the <a href="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html">GNU General Public License version 2</a> as published by the <a href="www.fsf.org">Free Software Foundation</a>.</p>
=====================================
docs/en_US/backend_mkbi.html
=====================================
@@ -7,7 +7,7 @@
<body>
<h1>Check_MK Business Intelligence Backend</h1>
<p>The Check_MK Business Intelligence (BI) Backend is used to connect NagVis directly with the
- aggregations configured within <a href="http://mathias-kettner.de/checkmk_bi.html" target="_blank">Check_MK BI</a>.</p>
+ aggregations configured within <a href="https://docs.checkmk.com/latest/en/bi.html" target="_blank">Check_MK BI</a>.</p>
<h2>The Check_MK BI API</h2>
<p>Check_MK BI offers a webservice which is called by HTTP GET requests and
=====================================
docs/en_US/backend_mklivestatus.html
=====================================
@@ -13,7 +13,7 @@
than the NDO, Livestatus does not actively write out data e.g. to the disk.
Instead, it opens a socket for external applications to connect to and fetches
the current status information from Nagios. For details about the new data
- access provider take a look at the <a href="http://www.mathias-kettner.de/checkmk_livestatus.html#H1:How to access Nagios status data" target="_blank">official documentation</a>.</p>
+ access provider take a look at the <a href="https://docs.checkmk.com/latest/en/livestatus.html" target="_blank">official documentation</a>.</p>
<p>Since the first NagVis 1.5 release the mklivestatus backend is included on
delivery. It performs much better than all other existing backends and
comes with less overhead than other backends. No additional database is
=====================================
docs/en_US/system_requirements.html
=====================================
@@ -19,7 +19,7 @@
<p>MKLivestatus is an Event Broker Module for Nagios which serves a unix socket
where third party addons like NagVis can connect to for gathering live status
information in a very fast way.</p>
- <p>You can get MKLivestatus from the <a href="http://www.mathias-kettner.de/checkmk_livestatus.html" target="_blank">official MKLivestatus Homepage</a>.</p>
+ <p>You can get MKLivestatus from the <a href="https://docs.checkmk.com/latest/en/livestatus.html" target="_blank">official MKLivestatus Homepage</a>.</p>
<h2>Webserver with PHP support</h2>
<p>NagVis is a web based application realised in Javascript and PHP. You need a webserver with PHP support to run NagVis. We recommend the usage of <a href="http://www.apache.org/" target="_blank">Apache Webserver</a> with <a href="http://www.apache.net/" target="_blank">mod_php</a>.</p>
=====================================
share/server/core/classes/CoreLogonMultisite.php
=====================================
@@ -135,6 +135,31 @@ class CoreLogonMultisite extends CoreLogonModule {
throw new Exception();
}
+ // Check session periods validity
+ $site = cfg('defaults', 'backend')[0];
+ $baseUrl = cfg('backend_' . $site . '_bi', 'base_url');
+ $headers = [
+ 'Content-type: application/json',
+ 'Accept: application/json',
+ "Cookie: $cookieName=$cookieValue",
+ ];
+
+ $url = $baseUrl . 'api/1.0/version';
+
+ $contextOptions = [
+ 'http' => [
+ 'method' => 'GET',
+ 'header' => implode("\r\n", $headers),
+ ]
+ ];
+
+ $context = stream_context_create($contextOptions);
+ $result = file_get_contents($url, false, $context);
+ if ($result === false) {
+ throw new Exception();
+ }
+
+
return $username;
}
=====================================
share/server/core/classes/GlobalBackendmklivestatus.php
=====================================
@@ -5,7 +5,7 @@
*
* Backend class for handling object and state information using the
* livestatus NEB module. For mor information about CheckMK's Livestatus
- * Module please visit: http://mathias-kettner.de/checkmk_livestatus.html
+ * Module please visit: https://docs.checkmk.com/latest/en/livestatus.html
*
* Copyright (c) 2010 NagVis Project (Contact: info at nagvis.org),
* Mathias Kettner (Contact: mk at mathias-kettner.de)
@@ -32,7 +32,7 @@
* @author Lars Michelsen <lm at larsmichelsen.com>
*
* For mor information about CheckMK's Livestatus Module
- * please visit: http://mathias-kettner.de/checkmk_livestatus.html
+ * please visit: https://docs.checkmk.com/latest/en/livestatus.html
*/
class GlobalBackendmklivestatus implements GlobalBackendInterface {
private $backendId = '';
=====================================
share/server/core/classes/GlobalMainCfg.php
=====================================
@@ -179,7 +179,7 @@ class GlobalMainCfg {
'http_proxy' => array(
'must' => 0,
'default' => null,
- 'match' => MATCH_STRING_URL,
+ 'match' => MATCH_STRING_PROXY,
),
'http_proxy_auth' => array(
'must' => 0,
=====================================
share/server/core/defines/global.php
=====================================
@@ -23,7 +23,7 @@
*****************************************************************************/
// NagVis Version
-define('CONST_VERSION', '1.9.42');
+define('CONST_VERSION', '1.9.43');
// Set PHP error handling to standard level
// Different levels for php versions below 5.1 because PHP 5.1 reports
=====================================
share/server/core/defines/matches.php
=====================================
@@ -40,8 +40,11 @@ define('DISALLOWED_AUTHORISATION_PATHS', '(.*etc\/nagvis\/maps\/.*)');
define('MATCH_STRING_PATH', '/^[0-9a-z\s_.\-\/\\\]+$/i');
define('MATCH_STRING_PATH_AUTHORISATION', '/^(?!' . DISALLOWED_AUTHORISATION_PATHS . ')[0-9a-z\s_.\-\/\\\]+$/i');
define('MATCH_ALLOWED_URL_SCHEMES', '(http|https)');
-define('MATCH_STRING_URL', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~\{\}]+$/i');
-define('MATCH_STRING_URL_EMPTY', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~]*$/i');
+define('MATCH_ALLOWED_PROXY_SCHEMES', '(tcp|udp|unix|udg|ssl|tls)');
+define('MATCH_PORT', '(?::[0-9]+)?');
+define('MATCH_STRING_PROXY', '/^(?:' . MATCH_ALLOWED_PROXY_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~\{\}:]+' . MATCH_PORT . '$/i');
+define('MATCH_STRING_URL', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~\{\}:]+' . MATCH_PORT . '$/i');
+define('MATCH_STRING_URL_EMPTY', '/^(?:' . MATCH_ALLOWED_URL_SCHEMES . ':)?[0-9a-z\s;|+[\]()=%?&_,.\-#@=\/\\\~:]*' . MATCH_PORT . '$/i');
define('MATCH_GADGET_OPT', '/^[0-9a-z\s:+[\]()_.,\-&?!#@=\/\\\%]+$/i');
define('MATCH_STRING_STYLE', '/^[0-9a-z:;\-+%#(),.]*$/i');
define('MATCH_COORDS', '/^(?:(?:[0-9]+)|([a-z0-9]+(?:%[+-][0-9]+)?))$/');
=====================================
share/userfiles/templates/default.header.html
=====================================
@@ -152,7 +152,7 @@
<span id="support-ddheader" onclick="ddMenuToggle(event, 'support')">{$langNeedHelp}</span>
<ul id="support-ddcontent">
<li><a target="_blank" href="{$pathBase}/docs/{$docLanguage}/index.html">{$langOnlineDoc}</a></li>
- <li><a target="_blank" href="https://www.monitoring-portal.org/woltlab/index.php?board/42-nagvis/">{$langForum}</a></li>
+ <li><a target="_blank" href="https://forum.checkmk.com/">{$langForum}</a></li>
<li><a target="_blank" href="{$pathBase}/frontend/nagvis-js/index.php?mod=Info" class="underline">{$langSupportInfo}</a></li>
</ul>
</li>
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/commit/1cb996192a0dfaf9a94d099cb4e997b95bea9a79
--
View it on GitLab: https://salsa.debian.org/nagios-team/nagvis/-/commit/1cb996192a0dfaf9a94d099cb4e997b95bea9a79
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20240830/9178aad7/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list