-
Notifications
You must be signed in to change notification settings - Fork 0
/
RELEASENOTES
462 lines (345 loc) · 18.3 KB
/
RELEASENOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>
* * * Release notes for Xymon 4.3.25 * * *
<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>
This documents the important changes between Xymon releases, i.e.
changes you should be aware of when upgrading.
For a full list of changes and enhancements, please see the
Changes file.
Changes for 4.3.25
==================
Several security issues have been resolved relating to "config" messages
and Cross-Site-Scripting vulnerabilities in the web interface. We would
like to thank Markus Krell for reporting the following security issues
and for his assistance in working with us to resolve them.
(CVE-2016-2054) - Buffer overflow when handling "config" file requests.
(CVE-2016-2056) - Shell command injection vulnerability in useradm.sh
and chpasswd.sh.
(CVE-2016-2055) - Credential leakage with "config" file requests.
The default suggested location for htpasswd files used in securing the
CGI interface had been $XYMONHOME/etc/ and documentation did not mention
that this file should ONLY be readable by the apache/webserver user.
Administrators should verify this file is not readable by the xymon user
and modify ownership and permissions as needed. Additionally, the
following restrictions have been added to files requested via "config"
messages sent to xymond:
- They must be regular files as returned by stat (no symlinks)
- They must end in ".cfg"
The restriction on file names ending in ".cfg" can be overridden by setting
ALLOWALLCONFIGFILES="TRUE" in xymonserver.cfg and restarting xymond.
Note that config files are processed through normal xymon file reading,
so features such as "include" and "directory" still work when retrieving
files over the network. These included files are not subject to the same
restrictions.
(CVE-2016-2057) - The xymond feedback queue (or BFQ) had been being
created using insecure permissions, allowing any local user to write
messages into the queue. This has been resolved and the queue is now
created 0620 to the xymon user. If present xymond will attempt to
re-create it using the correct permissions, but this process may not
succeed on all OS's. Administrators should verify queue permissions
using ipcs and delete the key manually with ipcrm if needed.
(CVE-2016-2058) - Dynamic and historical status pages generated by the
CGI interface now include Content-Security-Policy headers to prevent
javascript execution from the payload of status messages themselves. The
built-in functionality can be overridden by setting XYMON_NOCSPHEADER in
xymonserver.cfg, if you wish to override this via an apache
configuration.
Additional changes:
A bug introduced in 4.3.22 that could cause xymond_alert to fail to
alert after seeing an unknown (newly added) host alert for the
first time has been fixed. Additionally, xymond_alert now regularly
reloads the hosts.cfg file to pick up changes.
The "Actual" memory value on Windows systems will be reported
more accurately. (Thanks, John Rothlisberger)
A trends_header and trends_footer have been added in the /web/
templates directory for use on trends display pages.
The xymonclient.cfg file now has a section for passing options
to xymond_client and logfetch without having to edit the script.
The logfetch command now accepts --noexec as an option to inhibit
running commands from the client config used to list files to scan
for messages.
The logfetch command can use a file glob(7) in client-local.cfg (or
localclient.cfg) indicated by angle brackets. This is more efficient
and more secure than executing an `ls` command when matching known
file or log patterns.
The xymon.sh script now better matches LSB exit code expectations.
The --processor argument to xymond_rrd, allowing RRD data (ie, metrics)
to be easily sent to an external system such as OpenTSDB has been
properly documented.
All users of previous versions are strongly urged to upgrade.
Changes for 4.3.24
==================
Fixes a bug introduced in 4.3.22 where the non-excepted HTTP status
codes were always seen as Critical instead of OK/Warning as intended.
All users are urged to upgrade.
Changes for 4.3.23
==================
Fixes a bug in 4.3.22 where RRD tracking of number of matching processes or
ports open on a client was not being performed.
Changes for 4.3.22
==================
The default rules for HTTP response codes have been simplified and made more
generic:
1xx = Warning (when the final code received)
2xx = OK
3xx = Warning (except 302/303/307 = OK)
4xx = Critical
5xx = Critical
The specific changes from previous versions are:
- 401 and 403 response codes are now considered Critical (were OK)
- 301 Permanent Redirect response code is now considered a Warning (was OK)
- "Extended" or new HTTP status codes in the 4xx and 5xx range
are now considered Critical (unknown codes were previously a Warning)
In the case of 301, 401, and 403 HTTP codes, if you're expecting to receive
this HTTP status from a URL query, you should add the code explicitly to
the check by using the "httpstatus" syntax (see hosts.cfg(5)).
Basic HTTP Authentication is supported for testing logins to a site.
*** Special note: Many vendor-supplied default "Welcome" pages on unconfigured
apache servers are actually generated by a 403 error handler. Generically
testing for these pages will now show a red status instead of a green one. To
fix, simply place an index.html page at the root of the site so that 403's are
not generated.
The 'sslcert' test will now indicate the signature algorithm and cipher
that was actually used in the connection, instead of a list of all ciphers.
Use --showallciphers to restore the previous behavior.
On new installs, the default apache configuration no longer requires a trailing
slash when accessing the xymon pages. http://www.example.com/xymon will work.
NTPDATEOPTS, FPINGOPTS, and TRACEROUTEOPTS variables are now present in
xymonserver.cfg and will override the default options for the associated
xymonnet calls.
Note: The suggested options to 'traceroute' were never actually used as
the default on a standard installation. In a future release,
'-n -q 2 -w 2 -m 15' may be used unless overridden or otherwise specified.
Darwin clients (Mac OS X) now exclude AFS and read-only volumes (which are
usually just mounted disk images) from processing, properly handle volumes with
spaces in their names, and correctly process inode details.
A chpasswd.sh file is now provided which allows a logged-in user to
change their own .htpasswd password (after verification). Because it
verifies their existing password first, it requires the '-v' option to
htpasswd, which is only available in Apache 2.4.5 or higher.
By default, it is installed in the /xymon-seccgi/ directory, but can be
moved to the /xymon-cgi/ directory to allow all users to change their
password. Basic input validation is provided, but this CGI should be
used with caution and only with relatively-trusted user bases.
xymongen used to skip over host groups on pages when it calcuated that
there were no test results to be displayed in that table. These groups are
now displayed, but you can restore the previous behavior by passing it
the --no-showemptygroups option.
Changes for 4.3.21
==================
RSS feeds should now display the short description of the event again.
Changes for 4.3.20
==================
Remote summaries display had been broken for a while but should now be working
again. Summaries are now also displayed on the nongreen.html page
The "Actual Used" memory figure on recent Linux kernels is now taken from
the "Available" memory reported back from free (or /proc/meminfo), which should
give a more accurate response. Physical Memory Used is still reported as the
combination of Kernel Physical Use + buffers/cache, however this may change in
a future release.
Documentation for various directives in hosts.cfg(5) has been added
pulldata=IP:PORT directives are honored, if the defaults for the host are
incorrect
cgiwrap is now installed via hardlinking (or as packaged); FollowSymLinks
is no longer needed for the xymon cgi-bin directories and can be removed.
Planned downtime settings are now applied to 'purple' statuses as well
http checks can now be performed using a HEAD request if desired.
Which RRD graphs are displayed on a status page can now be customized on
a per-test basis through the use of environment variables. For example,
GRAPHS_cpu="la,vmstat1" will cause an additional graph to be shown on
cpu tests. (Submitted by Werner Maier)
A new column will be displayed on all xymon pages allowing direct access
to a server's raw clientlog (similar to the special info and trends columns).
This can be disabled with a "noclient" tag in hosts.cfg
Additional sample protocols.cfg services are present, for svn, amqp(s) and
ircd. (Note that different ircd servers respond differently and the included
protocol conversation may require modification to work on your server.)
Changes for 4.3.19
==================
This is mostly a bugfix release (see the Changes file for a full list),
but there are some enhancements:
Apache 2.4 syntax is now supported by the sample xymon.conf file.
EXTIME= syntax in analysis.cfg and alerts.cfg files is now supported.
Note that this exclusion is applied *after* any normal TIME=
specifiers. (If a TIME= modifier is present, then times outside of
that range are already excluded.)
An Acknowledgements report CGI is now available, similar to
the Notifications report. (Thanks, Andy Smith)
Client logs with multiple trigger lines found are guaranteed to have all
the sections returned, even if this exceeds the "maxbytes" specified (up to
the compiled-in limit). Additionally, the "current" location of new log
data written since the last time xymonclient was run is now marked for
reference. (Thanks, Franco Gasperino)
A new "deltacount" option is available in client-local.cfg. It functions
similarly to "linecount" for a given log: entry, but only counts matching
lines written in the log file since the last run.
Additional filtration options are available for the xymondboard command,
including the full body of the message, and acknoweldgement and disable
comments. Also, inequalities can be used to filter an epoch timestamp
against any of: lastchange, logtime, validtime, acktime, or disabletime.
See the xymon(1) man page for details.
The process list visible in the 'procs' test of Linux and FreeBSD clients
is now generated in ASCII "forest" mode for increased legibility.
Changes for 4.3.18
==================
4.3.18 fixes a buffer overflow vulnerability in the acknowledge.cgi
script (CVE-2015-1430). All users are encouraged to upgrade.
Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.
In previous versions, the Xymon web CGI programs were run through
a shell-script wrapper, which took care of setting up the environment
for the Xymon programs. In light of the bash 'Shell shock' bug, this
is no longer the case. Instead, a binary 'cgiwrap' utility is used
to load the xymonserver.cfg and cgioptions.cfg files before invoking
the CGI programs. This means that the cgioptions.cfg file is no longer
parsed as a shell script, so if you rely on this then it will no
longer work. In that case you must replace the symlink(s) in
xymon/cgi-bin/ with shell script wrappers which source the
cgioptions.cfg file.
Changes for 4.3.15 - 4.3.17
===========================
No significant changes.
Changes for 4.3.14
==================
In previous Xymon versions, a client-only configuration (i.e. one
configured with "./configure --client") would place the client
files in a "client" subdirectory below the directory specified
during configuration. This is the same directory layout as a server
installation, where the server and client parts of Xymon are
in separate subdirectories.
In 4.3.14, the default has changed so a client-only installation
now installs in the directory given during the configure-step.
The "/client" has been eliminated, so if you are upgrading an
existing client you must either move the old client installation
one level up from the "client/" directory, or change the Makefile
generated by "configure --client" and add "/client" to the
XYMONTOPDIR setting.
The SNI support added in 4.3.13 causes problems with some older
webservers, whose SSL implementation cannot handshake correctly
when SNI is used. The failed handshake causes Xymon to report
the site as down. In 4.3.14, the default is changed so SNI is
disabled. A new "--sni" option was added to xymonnet to control the
default setting, and two new tags "sni" and "nosni" can be used in
hosts.cfg to control SNI for each host that is tested.
Changes for 4.3.13
==================
This is mostly a bugfix release. Apart from simple bugs (see
the Changes file), there are some enhancements:
Alerts sent via e-mail have <CR><NL> line-endings converted
to plain <NL>, since the carriage-return characters would
cause some mailers to send alerts as a (binary) attachment
to an empty mail message.
https-URL's can be forced to use TLS only, by using
"httpst://..." similar to how SSLv2 and SSLv3 can be chosen.
SSL connections (e.g. for https URL's) now use the TLS
"Server Name Indication" (SNI) if your OpenSSL library
supports it. This allows testing of systems that have
multiple SSL websites located on the same physical IP+port
(i.e. virtual name-based hosts).
Changes for 4.3.12
==================
NOTE: This release includes a bugfix for a security issue
in the xymond_history and xymond_rrd modules. A "drophost"
command sent to the xymond port (default: 1984) from an IP
listed in the --admin-senders access control list can be
used to delete files owned by the user running the xymond
daemon. This is allowed by default, so it is highly recommended
to install this update.
Changes for 4.3.2 - 4.3.11
==========================
See the Changes file for a list of significant changes.
These releases are mostly to fix bugs.
NOTE: Some configuration parameters have changed, so you must
regenerate the top-level Makefile by running the "configure"
script before compiling the new version.
The inode-check introduced in 4.3.8 and 4.3.10 requires
that you update both the Xymon server installation and the
Xymon client on the systems where you want to monitor how
many inodes are being used.
Changes for 4.3.1
==================
This is a SECURITY BUG FIX release, resolving a number of
potential cross-site scripting vulnerabilities in the Xymon
web interface.
Thanks to David Ferrest who reported these to me.
Changes for 4.3.0
==================
IMPORTANT: Most files and internals in Xymon have been renamed
with the 4.3.0-beta3 release. If you are upgrading from a
version prior to 4.3.0-beta3, you MUST read the file
docs/upgrade-to-430.txt and make sure you follow the steps
outlined here. That also applies if you are upgrading from
4.3.0-beta2.
Xymon 4.3.0 is the first release with new features after
the 4.2.0 release. Several large changes have been made
throughout the entire codebase. Some highlights (see
the Changes file for a longer list):
* Data going into graphs can now be used to alter a status,
e.g. to trigger an alert from the response time of a network
service.
* Tasks in xymonlaunch can be be configured to run at specific
time of day using a cron-style syntax for when they must run.
* Worker modules (RRD, client-data parsers etc) can operate on
remote hosts from the xymond daemon, for load-sharing.
* Support for defining holidays as non-working days in alerts and
SLA calculations.
* Hosts which appear on multiple pages in the web display can
use any page they are on in the alerting rules and elsewhere.
* Various new network tests: SOAP-over-HTTP, HTTP tests with
session cookies, SSL minimum encryption strength test.
* New "compact" status display can group multiple statuses into
one on the webpage display.
* Configurable periods for graphs on the trends page.
* RRD files can be configured to maintain more data and/or
different data (e.g. MAX/MIN values)
* SLA calculations now include the number of outages in addition
to the down-time.
* Solaris client now uses "swap -l" to determine swap-space
usage, which gives very different results from the previous
"swap -s" data. So your Solaris hosts will appear to change
swap-utilisation when the Xymon client is upgraded.
TRACKMAX feature removed
------------------------
For users of the TRACKMAX feature present in 4.2.2 and
later 4.2.x releases: This feature has been dropped. Instead,
you should add a definition for the tests that you want to track
max-values for to the rrddefinitions.cfg file. E.g. to
track max-values for the "mytest" status column:
[mytest]
RRA:MAX:0.5:1:576
RRA:MAX:0.5:6:576
RRA:MAX:0.5:24:576
RRA:MAX:0.5:288:576
Changed behaviour of http testing via proxy
-------------------------------------------
The Big Brother behaviour of allowing you to specify an http
(web) proxy as part of the URL in a test has been disabled
by default, since it interferes with URL's that contain
another URL as part of the URL path. If you need the Big Brother
behaviour, add "--bb-proxy-syntax" to your invocations of
bbtest-net.
BBGHOSTS setting removed
------------------------
Setting BBGHOSTS in the xymonserver.cfg file no longer has any
effect. Instead, you must use the "--ghosts" option for hobbitd.
The default ghost handling has also been changed from "ignore"
to "log".
xymonproxy: Alert support for Big Brother servers removed
---------------------------------------------------------
The xymonproxy tool no longer supports forwarding "page"
messages. This means that if you are forwarding messages
from an old Big Brother client to a Big Brother server
that is sending out alerts, then these alerts will be
dropped. Status updates will be forwarded, only alerts
triggered from the Big Brother server are affected.
Webpage menu: New menu code
---------------------------
The Javascript-based menu code ("Tigra") has been replaced
with a menu based on CSS/HTML4. This means that any menu
customization will have to be manually transferred to the
new menu definition file, ~xymon/server/etc/xymonmenu.cfg.
The new menu-system is known NOT to work with Internet
Explorer 6 (IE 7 and newer are fine). If you must have a
menu system that works with the ancient browsers, then the
old Tigra menu can be downloaded from
http://xymon.svn.sourceforge.net/viewvc/xymon/sandbox/tigramenu/?view=tar
together with instructions for using it with Xymon 4.3.0.