Request Demo

5.8.5

  • July 15, 2021

Security

  • Fixed SQL injection vulnerability in Bulk Modifications Tool for some single config option types -JO
  • Fixed post auth RCE in autodiscovery due to path tranversal issue in job id -JO
  • Fixed possible insecurity in Nagios Mobile authentication where it would not exit/quit after redirecting unauthenticated users -JO
  • Fixed redirection vulnerability in login redirect url for some styles of urls -JO
  • Fixed vulnerability with xi-sys.cfg being imported from the var directory for some scripts with elevated perms -JO
  • Fixed insecure permissions on migrate.php and repairmysql.sh file (thanks Ben Leonard-Lagarde (Modux) & Lucas Fedyniak-Hopes (Modux)) (CVE-2021-36363, CVE-2021-36365) -JO
  • Fixed security issue with backup_xi.sh and manage_services.sh allowing using wildcards -JO
  • (thanks Ben Leonard-Lagarde (Modux) & Lucas Fedyniak-Hopes (Modux)) (CVE-2021-36364, CVE-2021-36366) -JO

Fixed

  • Fixed issue where critical or warning values in certain disk space metrics were rendered as green. -PhW
  • Fixed password email going out when AD/LDAP user is created without local password auth [TPS#15547] -JO
  • Fixed failed backup email sent when running a manual local backup [TPS#15546] -JO
  • Fixed timezone for Istanbul in utils-time.inc.php [TPS#15532] -JO
  • Fixed longserviceoutput macro not properly converting newlines to breaks in HTML email notifications [TPS#15537] -JO
  • Fixed issue when generating PDFs (and auth tokens in general) on usernames with uppercase letters in them [TPS#15542] -JO
  • Fixed display issue of host/service notes where double quotes were not displayed correctly [TPS#15543] -JO
  • Fixed issue with index.php page value not being properly validated before being passed to display page function -JO
  • Fixed issue where AD/LDAP wouldn’t search in base directory [TPS#15495] -JO
  • Fixed empty XML output when outputtype=xml for hostgroup/servicegroup API endpoints when there are no groups -JO
  • Fixed issue with manage_services.sh and restarting php-fpm on EL8 systems -JO
  • Fixed issue with Nagios Mobile not verifying a comment is set for scheduled downtime or acknowledge -JO

Added

  • Added extra folder name sanatization to the getprofile.sh script to make it more secure -JO

Component Updates

Core Config Manager (CCM) 3.1.3

  • Fixed SQL injection from improper escaping of values in search text -JO
  • Fixed timeperiod template name adding _copy_x to the template name even if empty which caused errors [TPS#15550] -JO

NDOUtils (NDO) 3.0.7

  • Added option “log_failed_queries” to ndo.cfg. Set this to 0 to disable failed query logging -SAW
  • Fixed issue where nagios_objects.name2 would occasionally be set to NULL -SAW
  • Fixed issue where leftover comments and other objects would cause hosts and services to continue showing in the database after deletion. [TPS#15549] -SAW
  • Widened all text columns significantly -SAW