######################## Nagios Core 4 Change Log ######################## 4.3.4 - 2017-08-24 ------------------ * Improved config file parsing (Mark Felder) * Fixed configure script to check for existence of /run for lock file (in regards to CVE-2017-12847, Bryan Heden) * Use absolute paths when deleting check results files (Emmanuel Dreyfus) * Add sanity checking in reassign_worker (sq5bpf) 4.3.3 - 2017-08-12 ------------------ * xodtemplate.c wrong option-deprecation code warning (alex2grad / John Frickson) * On-demand host check always use cached host state (John Frickson) * 'á' causes Serivce Status Information to not be displayed (John Frickson) * New Macro(s) to generate URL for host / service object (John Frickson) * Fix minor map issues (Troy Lea) * Fix lockfile issues (Bryan Heden) * Switch order of daemon_init and drop_priveleges (CVE-2017-12847, Bryan Heden) * Add an OpenRC init script (Michael Orlitzky) 4.3.2 - 2017-05-09 ------------------ FIXED * Every 15sec /var/log/messages is flooded with "nagios: set_environment_var" (John Frickson) * Changed release date to ISO format (yyyy-mm-dd) (John Frickson) * `make all` fails if unzip is not installed (John Frickson) * Quick Search no longer allows search by Alias (John Frickson) * flexible downtime on a service immediately turns off notifications (John Frickson) * Fix to allow url_encode to be called twice (Z. Liu) * Update timeperiods.cfg.in (spelling) (Parth Laxmikant Kolekar) * Spelling fixes (Josh Soref) * Vent command pipe before remove to avoid deadlocks on writing end (Kai Kunstmann) * CGI utility cgiutil.c does not process relative config file path names properly (John Frickson) * xdata/xodtemplate.c bug in option-deprecation code (John Frickson) * Wildcard searching causes service status links to not work properly (John Frickson) * Quick search with no hits shows a permission denied error (John Frickson) * Setting a service as its own parent is not caught by the sanity checker (-v) and causes a segfault (John Frickson) 4.3.1 - 2017-02-23 ------------------ FIXES * Service hard state generation and host hard or soft down status (John Frickson) * Comments are duplicated through Nagios reload (John Frickson) * host hourly value is incorrectly dumped as json boolean (John Frickson) * Bug - Quick Search no longer allows search by IP (John Frickson) * Config: status_update_interval can not be set to 1 (John Frickson) * Check attempts not increasing if nagios is reloaded (John Frickson) * nagios hangs on reload while sending external command to cmd file (John Frickson) * Feature Request: return code xxx out of bounds - include message as well (John Frickson) 4.3.0 - 2017-02-21 ------------------ SECURITY FIXES * Fix for CVE-2016-6209 - The "corewindow" parameter (as in http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by default. See the UPGRADING document for how to enable it. (John Frickson) FIXES * Fix early event scheduling (pmalek / John Frickson) * on-demand host checks triggered by service checks cause attempt number increments (fredericve) * Service notification not being send when host is in soft down state (John Frickson) * configure does not error if no perl installed on CentOS 7 (John Frickson) * failed passive requests leave .ok files in checkresults dir (caronc) * Services don't show in status.cgi if "noheader" specified (John Frickson) * Standardized check interval config file names (John Frickson) * "Event Log" (showlog.cgi) could not open log file (John Frickson) * "nagios_check_command" has been deprecated since v3.0. Last vestiges removed (John Frickson) ENHANCEMENTS * Added new flag to cgi.cfg: tac_cgi_hard_only to show only HARD states (John Frickson) * Add broker-event for the end of a timed event (NEBTYPE_TIMEDEVENT_END) (John Frickson) * There is no Macro to retrieve addresses of hostgroup members (now $HOSTGROUPMEMBERADDRESSES$) (John Frickson) * Add "Page Tour" videos to several of the core web pages (John Frickson) * Added a login page, and a `Logoff` links (John Frickson) * On the status map, the host name will be colored if services are not all OK. (John Frickson) * Added "Clear flapping state" command on host and services detail pages. (John Frickson) * User-entered comment now displays below generated comment for downtime (John Frickson) 4.2.4 - 2016-12-07 ------------------ SECURITY FIXES * Fixed another root privilege escalation (CVE-2016-9566) Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com). 4.2.3 - 2016-11-21 ------------------- SECURITY FIXES * Fixed a root privilege escalation (CVE-2016-8641) (John Frickson) FIXES * external command during reload doesn't work (John Frickson) * Nagios provides no error condition as to why it fails on the verify for serviceescalation (John Frickson) * No root group in FreeBSD and Apple OS X (John Frickson) * jsonquery.html doesn't display scheduled_time_ok correctly (John Frickson) * daemon_dumps_core=1 has no effect on Linux when Nagios started as root (John Frickson) * Configuration check in hostgroup - misspelled hostname does not error (John Frickson) * contacts or contact_groups directive with no value should not be allowed (John Frickson) * Compile 64-bit on SPARC produces LD error (John Frickson) * HOSTSTATEID returns 0 even if host does not exist (John Frickson) * Submitting UNREACHABLE passive result for host sets it as DOWN if the host has no parents (John Frickson) * nagios: job XX (pid=YY): read() returned error 11 (changed from LOG_ERR to LOG_NOTICE) (John Frickson) * Fix for quick search not showing services if wildcard used (John Frickson) 4.2.2 - 2016-10-24 ------------------ SECURITY FIXES * There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on August 1, 2016. The fix was apparently incomplete, as there was still a problem. However, we are now getting all RSS feeds using AJAX calls instead of the (outdated) MagpieRSS package. Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com). ENHANCEMENTS * Update status.c to display passive check icon for hosts when passive checks are enabled and actives disabled (John Frickson) FIXES * Fix permissions for Host Groups reports (status.cgi) (Patrik Halfar) * Service Parents does not appear to be functioning as intended (lev) * Availability report mixes up scheduled and unscheduled warning percentages (Helmut Mikulcik) * Invalid values for saved_stamp in compute_subject_downtime_times() (John Frickson) * Remove deprecated "framespacing" (John Frickson) * The nagios tarball contains two identical jquery copies (John Frickson) * extinfo.cgi does not set content-type (most cgi's don't) (John Frickson) * Timeperiods are corrupted by external command CHANGE_SVC_CHECK_TIMEPERIOD (xoubih) * Quick search doesn't show hosts without services (service status detail page) (John Frickson) * In host/services details view, if exactly 100 entries would not show last one (John Frickson) * nagios host URL parameter for NEW map doesn`t work - Network Map for All Hosts (John Frickson) * next_problem_id is improperly initialized (gherteg) * Passive problems not showing as "unhandled" (John Frickson) * September reported as Sept instead of Sep (Rostislav Opočenský) * Notifications are not sent for active alerts after scheduled downtime ends (John Frickson) * Nagios 4.2.0 not working on Solaris (John Frickson) * install-exfoliation and install-classicui don't work FreeBSD and Mac OS X (John Frickson) * Updated makefile to delete some no-longer-needed files (John Frickson) 4.2.1 - 2016-09-06 ------------------ FIXES * Fix undefined variable php error (John Frickson) * Links on the sidebar menu under 'Problems' are indented too far (John Frickson) * Using $ARGn$ Macros in perfdata (John Frickson) * using a wildcard in search returns service status total all zero's (John Frickson) * read_only does not take priority (deppy) * Running nagios -v on 4.2.0 takes 90+ seconds (John Frickson) * Bare "make" invoked in subtarget (mjo) * Theme images/stylesheets installed with inconsistent permissions (mjo / John Frickson) * Missing Image for Host and Service State Trends in Availability Report (nichokap / John Frickson) * Maintain non-persistent comments through reload (John Frickson) * Servicegroup availability report ignores includesoftstates in service report links (PriceChild) * error: format not a string literal and no format arguments (Karsten Weiss) * Synced config.guess and config.sub with GNU (Zakhar Kleyman) 4.2.0 - 2016-08-01 ------------------ SECURITY FIXES * Fixed vulnerability CVE-2008-4796 (John Frickson) * Fixed vulnerability CVE-2013-4214 (John Frickson) * web interface vulnerable to Cross-Site Request Forgery attacks (John Frickson) ENHANCEMENTS * Increase socket queue length for listen() * Added host name to the website page title (leres / John Frickson) * Added additional icons for NetBSD and SuSE (John Frickson) * The new Status Map will now use cgi.cfg options (John Frickson) default_statusmap_layout will default to "6" for the new map * The new Status Map will now show some valid values in the popup for "Nagios Process" (John Frickson) FIXES * Network outage view without access to all hosts (John Frickson) * Core workers looping (John Frickson) * service query returns duplicate host_name and description fields in the returned data (John Frickson) * HTML output of plug-ins is parsed in wrong way => webgui unusable (John Frickson) * Command worker fails to handle SIGPIPE * "View Status" links under "Map" broken in Nagios Core Version 4.1.1 (John Frickson) * Can't send big buffer - wproc: Core Worker seems to be choked (velripn / John Frickson) * Too big CPU load on FreeBSD and other systems using poll() interface (cejkar) * Flexible downtime recorded as unscheduled downtime (John Frickson) * Service Flexible downtimes produce 1 notification before entering (John Frickson) * Once you "set flap_detection_enabled 0" it should remove flapping state from the host/services page (John Frickson) * New map doesn't finish loading if a logo image is not found (John Frickson) * Extraneous Div end tag in map.html (Scott Wilkerson) * Issue with "Problems" section (John Frickson) * Status Map icons and online/offline status dots disappear in IE11 (John Frickson) * New network map overlays the nagios process with objects (John Frickson) * Added Default-Start and Default-Stop to the init script (John Frickson) * Compile / logging issues with BSD 6 * Related to above, Fixed a lot of incorrectly handled time_t's in *printf's (John Frickson) * New map not working for RU locale (actually, most locales) (John Frickson) * Replaced all instances of signal() with sigaction() + blocking (John Frickson) * UTF-8 characters like german ä are not processed properly by function url_encode (John Frickson) * nagios worker processes can hog CPU (huxley / John Frickson) * custom time periods that include special characters were not being handled in reports (John Frickson) * Fixed init script to wait up to 90 seconds then kill the nagios process (John Frickson) * No Host Groups results in wrong error message (John Frickson) * Setup Nagios users to view specific host is not working in the new network map (John Frickson) * statusjson.cgi fails glibc realloc truncate response output (John Frickson) * Report Time Period does not work if an @ character is in the timeperiod name (John Frickson) * State History does not use actual plugin long_output (John Frickson) * Time period corruption (xoubih) * Tactical Overview - Disabled Flap Detection Link (John Frickson) 4.1.1 - 08/19/2015 ------------------ FIXES * CGI Could not read object configuration data (broken by error in 4.1.0) * exclude (!) not working (broken by mis-applied fix for 4.1.0) 4.1.0 - 08/18/2015 ------------------ ENHANCEMENTS * Promoted JSON CGIs to released status (Eric Stanley) * New graphical CGI displays: statusmap, trends, histogram (Eric Stanley) * Make sticky status for acks and comments configurable enhancement #20 (Trevor McDonald / Scott Wilkerson) * Add host_down_disable_service_checks directive to nagios.cfg #44 (Trevor McDonald / Scott Wilkerson) * httpd.conf doesn't support Apache versions > 2.3 (DanielB / John Frickson) FIXES * Fix for not all service dependencies created (John Frickson) * Fix SIGSEGV with empty custom variable (orbis / John Frickson) * Fix contact macros in environment variables (dvoryanchikov) * Fixed host's current attempt goes to 1 after going to hard state (John Frickson) * Fixed two bugs/problems: Replace use of %zd in base/utils.c & incorrect va_start() in cgi/jsonutils.c (Peter Eriksson) * Fixed: Let remove_specialized actually remove all workers (Phil Mayers) * Fixed log file spam caused when using perfdata command directives in nagios.cfg (shashikanthbussa) * Fixed off-by-one error in bounds check leads to segfault (Phil Mayers) * Added links for legacy graphical displays (Eric Stanley) * Update embedded URL's to https versions of Nagios websites (scottwilkerson) * Fixed doxygen comments to work with latest doxygen 1.8.9.1 #30 (Trevor McDonald) * Fixed makefile target "html" to PHONY to fix GitHub issue #28 (Trevor McDonald) * Fixed typo as per GitHub issue #27 (Trevor McDonald) * Fixed jsonquery.php 404 not found error, and disabled Send Query button until form populates #43 (Scott Wilkerson) * Fixed linking in Tactical Overview for several of the Host entries in Featured section #48 (Scott Wilkerson) * Fixed passing limit and sort options to pagination and sort links #42 (Scott Wilkerson) * Added form field for icon URL and clean-up when it changes in CGI Status Map. (Eric Stanley) * Added options to cgi.cfg to uncheck sticky and send when acknowledging a problem (Trevor McDonald) * Low impact changes to automate the generation of RPMs from nagios.spec file. (T.J. Yang) * Update index.php (Trevor McDonald) * Fixed escaping of corewindow parameter to account for possible XSS injection (Scott Wilkerson) * Typo correction (T.J. Yang) * Make getCoreStatus respect cgi_base_url (Moritz Schlarb) * Adjusted map layout to work within frames (Eric Stanley) * Fixed map displays are now the full size of browser window (Eric Stanley) * Fixed labels and icons on circular markup no longer scale on zoom (Eric Stanley) * Got all maps except circular markup working with icons (Eric Stanley) * Fixes to make legacy CGIs work again. (Eric Stanley) * Fixes to make all/html target tolerant of being run multiple times (Eric Stanley) * For user-supplied maps, converted node group to have transform (Eric Stanley) * Fixed issue transitioning from circular markup map to other maps (Eric Stanley) * Fix displayForm to trigger on the button press (Scott Wilkerson) * Fix fo getBBox crash on Firefox (Eric Stanley) * Fixed map now resets zoom when form apply()'d (Eric Stanley) * Fixed so close box on dialogs actually closes dialog (Eric Stanley) * Corrected directive in trends display (Eric Stanley) * Fixed minor issue with link in trends links (Eric Stanley) * Fixed issue with map displaying on Firefox (Eric Stanley) * Added exclusions for ctags generation (Eric Stanley) * Update map-popup.html (Scott Wilkerson) * Initial commit of new graphical CGIs (Eric Stanley) * Fixed Github bug #18 - archivejson.cgi returns wrong host for state change query (Eric Stanley) * Status JSON: Added next_check to service details (Eric Stanley) * Fixed escaping of keys for scalar values in JSON CGIs (Eric Stanley) * build: Include if it exists. (Eric J. Mislivec) * lib-tests: test-io{cache|broker} need -lsocket to link. (Eric J. Mislivec) * lib-tests: test-runcmd assumes GNU echo. (Eric J. Mislivec) * lib-tests: Signal handlers don't return int on most platforms, and using a cast was the wrong way to resolve this. (Eric J. Mislivec) * Fix some type/format mismatch warnings for pid_t. (Eric J. Mislivec) * Fix build on Solaris. (Eric J. Mislivec) * runcmd: Fix build when we don't HAVE_SETENV. (Eric J. Mislivec) * Fixed checkresult output processing (Eric Mislivec) * Corrected escaping of long output macros (Eric Mislivec) * Fixed null pointer dereferences in archive JSON (Eric Stanley) * Fixed memory overwrite issue in JSON string escaping (Eric Stanley) * JSON CGI: Now escaping object and array keys (Eric Stanley) KNOWN ISSUES * New map does not account for multiple parents, leaving "legacy" map as an option in the menu 4.0.8 - 08/12/2014 ------------------ ENHANCEMENTS * Removed 8 kB string size limitation in JSON CGIs (Eric Stanley) * Re-implemented auto-rescheduling of checks (Eric Mislivec) * Avoid bunching of checks delayed due to timeperiod constraints (Eric Stanley) * Limit the number of autocalculated core workers to not spawn too many on large systems (Eric Mislivec, Janice Singh) FIXES * Removed quotes from numeric duration values in JSON CGIs (Eric Stanley) * Fixed escaping in JSON CGIs so all required characters are escaped, and in the correct order (Eric Stanley) * Fixed segfault in archive JSON CGI when plugin output was empty (Eric Stanley) * Fixed several possibilities for buffer overflow (Eric Mislivec, Dirkjan Bussink) * Fixed Tracker #582, #626: Handle VAR=VAL assignments at the start of simple commands (Eric Mislivec, Phil Randal) * Fixed Tracker #630: Recognize '<' and '>' as redirection operators (Eric Mislivec) * Corrected worker communication protocol documentation (Phil Mayers) * Fixed init script to leave config test log in a better location, let sysconfig override init script variables, and not remove nagios.cmd when attempting to start with another instance running (Eric Mislivec, Robin Kearney) * Fixed Tracker #361: Downtime notifications not displayed properly (Andrew Widdersheim) 4.0.7 - 06/03/2014 ------------------ ENHANCEMENTS * Added value of custom variables to Object JSON output for hosts, services and contacts (Eric Stanley) FIXES * Fixed bug #616: Unescape plugin output read from checkresult files, fix multiline perf data concatenation, and avoid extra memory allocation and copies. (Eric Mislivec) * Fixed bug #609: Image on home page doesn't have correct image path prefix. (Derek Brewer) * Fixed bug #608: Extra newline in service check timeout output string. (Mauno Pihelgas) * Fixed bug #596: Crashes checking contact authorization for host escalations. (Alexey Dvoryanchikov - duplicates #590, #586) * Fixed bug #496: Syntax error in exfoliation's common.css. (Karsten Weiss) 4.0.6 - 04/29/2014 ------------------ ENHANCEMENTS * Added name of authenticated user to JSON CGI results object (Eric Stanley) * Added Nagios Core version to the Status JSON CGI programstatus query (Eric Stanley) * Added daemon status to main page (Eric Mislivec) FIXES * Fixed bug #600: Service Check Timeout State always returns OK (0) status (Mauno Pihelgas, Eric Stanley) * Fixed bug #583: Status Check Output of (No output on stdout) stderr: (Eric Stanley - duplicate of bug #573) * Fixed bug #573: Service checks returns (No output on stdout) stderr (Eric Stanley) * Fixed bug #438: Reloads during downtime causes wrong availability calculations (Eric Stanley) * Fixed feed updates when daemon can not access external networks (Eric Mislivec) * Archive JSON: Fixed bugs calculating availability (Eric Stanley) * Archive JSON: Allow missing logs to be skipped (Eric Stanley) 4.0.5 - 04/11/2014 ------------------ * Fixed bug #595: Nagios 4 security fix (Alexey Dvoryanchikov, Eric Stanley) * Fixed bug #594: Nagios 4 fix contactgroups parsing (Alexey Dvoryanchikov, Eric Stanley) * Fixed bug #577: Nagios 4 checks stalled when write to socket failed (Alexey Dvoryanchikov) * Fixed bug #580: Nagios 4 memory leak (Eric Stanley) * Fixed init script to remove the switching of users when performing configuration verification which was causing failures if nagios user was set to nologin (Scott Wilkerson) * Fixed auto creation of RAMDISK via environment variables in init script to properly check existence using $RAMDISK_DIR environment variable. (Scott Wilkerson) * Fixed unreferenced variable NagiosVarDir in daemon-init (Eric Mislivec) * Fixed bug where audio alerts wouldn't work with a 0 height and width - https://support.nagios.com/forum/viewtopic.php?t=26387 (Scott Wilkerson) 4.0.4 - 03/14/2014 ------------------ ENHANCEMENTS * JSON CGIs moved to beta status (Eric Stanley) FIXES * Fixed bug #491,#553: Rebuilt the daemon-init scripts back to something that should work on all systems (Scott Wilkerson) 4.0.3 - 02/28/2014 ------------------ ENHANCEMENTS * Aliased hourly_value to importance and minimum_value to minimum_importance and deprecated the former (Eric Stanley) * Added host and service importance macros (Eric Stanley) * Added notifications on flexible downtime expiration (Dan Wittenberg) FIXES * Bug #548: Temporary fix that rejects all external command during restart to prevent Core from crashing (Eric Stanley) * Corrected calculation of host importance and importance defaults (Eric Stanley) * Fixed bug #498: Nagios 4 enable_environment_macros=1 not working (Eric Stanley, Alexey Dvoryanchikov) * No longer checks whether logs can be written when verifying configuration (Eric Stanley) * Fixed CGI bug where the CGI could read past the end of the list of CGI variables, potentially crashing the CGI (Scott Wilkerson) * Fixed inheritance of hourly_value from host and service templates (Scott Wilkerson) * Fixed bug #502: 4.0.0: Configuration -> Service Escalations = incomplete list (Eric Stanley) * Fixed bug #523: quotes and double quotes in plugin message are converted to HTML escapes in Nagios 4.0 (duplicate of bug #524) * Fixed bug #524: URLs returned in plugin check results are not correctly displayed (Eric Stanley) * Fixed bug where passive service checks would return "Service check timed out after 0.00 seconds" (Scott Wilkerson) 4.0.2 - 11/25/2013 ------------------ FIXES * Fixed bug 528: Nagios 4.0.1: Logrotation: Only current host- and servicestates saved in rotated logfiles (duplicate of 507) * Fixed bug 507: Nagios 4.0.0 - Problem during log rotate (Stefano Ghelfi) * Fixed bug 530: RPM spec file sets wrong permissions on plugins directory (duplicate of bug 494) * Fixed bug 494: nagios.spec fixes (with patch) (Karsten Weiss) * Fixed bug 515: Segsegv after starting up nagios (duplicate of bug 526) * Fixed bug 513: Crash while entering downtime for service (duplicate of bug 526) * Fixed bug 529: Core Worker failed to reap child in 4.0.1 Description * Fixed bug 514: scheduled downtime not showing in web interface (Eric Stanley) * Fixed bug 526: sort_downtime() corrupts scheduled_downtime_list causing segfault (Adam James) * Fixed bug 492: Nagios 4 fails to remove/add checks upon reload (Eric Stanley) * Fixed Bug 484: Beta4.0.0b4 service checks returning (No output on stdout) (Eric Stanley) * Fixed Bug 470: statusmap doesn't display info (Cameron Moore) * Fixed Bug 499: Security issue in daemon-init.in, function check_config (Tómas Edwardsson) 4.0.1 - 10/15/2013 ------------------ ENHANCEMENTS * Added compiler flags in RPM spec file to reduce compiler noise (Dan Wittenberg) * Added logging of failure in dlclose() call (Anton Lofgren) * Added a simple query handler interface, nagios-qh.rb (Dan Wittenberg) * Multiple code simplifications, additional error handling in downtime code (Andreas Ericsson) FIXES * Reverted commit f99a9a7b which set check_interval to 1 if it was configured as zero. * Corrected order of arguments when logging unknown hosts/services (Scott Wilkerson) * Downtime initialized before retention data read (Eric Stanley) * Patches to make RPM build again (Dan Wittenberg) * Ensure that scheduled_downtime_depth never drops below zero (Andreas Ericsson) 4.0.0 - 09/20/2013 ------------------ See http://nagios.sourceforge.net/docs/nagioscore/4/en/whatsnew.html for a list of the changes in Nagios Core 4