5.5.7
- November 13, 2018
Security
- Fixed privilege escalation security vulnerability in MRTG graphing component by running as nagios user/group (thanks Daniel Sayk of Telekom Security) [TPS#13778] -JO
- Fixed security vulnerability with API key regeneration function allowing non-admins to regenerate other user’s API keys (thanks Chris Lyne of Tenable) [TPS#13780] -JO
- Fixed security vulnerability in BPI’s api_tool.php where the script could be accessed through the web server (thanks Chris Lyne of Tenable) [TPS#13780] -JO
- Fixed security vulnerability in command subsystem with some commands not being escaped properly (thanks Chris Lyne of Tenable) [TPS#13780] -JO
- Fixed security vulnerability in Auto Discovery component where some commands not being escaped properly (thanks Chris Lyne of Tenable) [TPS#13780] -JO
- Fixed XSS security vulnerabilities in the interface (thanks Chris Lyne of Tenable) [TPS#13780] -JO
Fixed
- Fixed old lock file location in snapshots by restoring lock file setting on snapshot restore [TPS#13795] -JO
- Fixed Notes and Actions URL button links URL encoding in Host/Service Status pages [TPS#13802] -JO
- Fixed Core issue (#572) causing service recovery emails to be sent when a initial notification wasn’t sent. [TPS#13805] -SW
- Fixed Core issue (#575) where soft recovery states did not apply for services -JO
- Fixed issue in API where hostgroup/servicegroup scheduled downtime would not schedule service downtimes [TPS#13818] -JO
- Fixed BPI service group sync to not add empty service groups that cause an error on the screen [TPS#13777] -JO
- Fixed BPI issue with the processing of subgroups applied to multiple groups failing to set proper status [TPS#13816] -JO
Component Updates
Core Config Manager (CCM) 2.7.3
- Fixed issue with free variable escaping on CCM importing configuration files [TPS#13794] -JO