* Mon Apr 06 2020 lars@linux-schulserver.de - 4.4.5
- fix boo#1156309, CVE-2019-3698 : Symbolic Link (Symlink) following
vulnerability in the cronjob allows local attackers to cause cause
DoS or potentially escalate privileges by winning a race.
- enhance systemd service: check nagios config before reloading
- enable build for SLE11 by excluding some special macros and
directories via 'sles_version != 11' condition
- add nagios-archive.service and nagios-archive.timer as replacement
for the script in cron.weekly: no need for cron on systemd systems
- run set_permissions and verifyscript for /etc/cron.weekly on those
distributions that need it
- enhance rpmlint: ignore empty htpasswd file
- enable php apache module and not php5 on newer distributions
- try to harden the rcnagios script
* Mon Feb 03 2020 Dominique Leuenberger <dimstar@opensuse.org>
- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
shortcut through the -mini flavors.
* Fri Dec 20 2019 Stefan Botter <obs@botter.cc>
- 4.4.5
* Reverted changes related to #625 due to CPU load issues
* Partially reverted changes for #647 due to CPU load issues
* Fixed "Quick Search" so that leading/trailing whitespace doesn't affect output (#681) (Sebastian Wolf)
* Fixed build issues on non-RPM-based platforms (#617) (T.J. Yang)
- 4.4.4
* Fixed log rotation logic to not repeatedly schedule rotation on a DST change (#610, #626) (Jaroslav Jindrak & Sebastian Wolf)
* Fixed $SERVICEPROBLEMID$ to be reset after service recovery (#621) (Sebastian Wolf)
* Fixed defunct worker processes appearing after nagios was reloaded (#441, #620) (Sebastian Wolf)
* Fixed main nagios thread to release nagios.qh on a closed connection (#635) (Sebastian Wolf)
* Fixed semicolon escaping to remove prepended backslash (\) (#643) (Sebastian Wolf)
* Fixed 'Checks of this host have been disabled' message showing on passive-only hosts (#632) (Vojtěch Širůček & Sebastian Wolf)
* Fixed last_hard_state showing the current hard state when service status is brokered (#633) (Sebastian Wolf)
* Fixed long plugin output (>8KB) occasionally getting truncated (#625) (Sebastian Wolf)
* Fixed check scheduling for objects with large check_intervals and small timeperiods (#647) (Sebastian Wolf)
* Fixed SOFT recoveries sending when services had HARD recovery some time after host recovery (#651) (Sebastian Wolf)
* Fixed incorrect permissions on debugging builds of FreeBSD (#420) (Sebastian Wolf)
* Fixed NEB callback lists being partially orphaned when multiple modules subscribe to one callback (#590) (Sebastian Wolf)
* Fixed memory leaks in run_async_service_check(), run_async_host_check() when checks are brokered (#664) (Sebastian Wolf)
* Fixed potential XSS in main.php, map.php (#671, #672) (Jak Gibb)
* Removed NEB brokering for nagios daemonization, since daemonization occurs before NEB initialization (#591) (Sebastian Wolf)
* Wed Nov 13 2019 Ansgar Esztermann <aeszter@gwdg.de>
- compile with -ffat-lto-objects to prevent build failure
* Tue Aug 20 2019 kukuk@suse.de
- Add /etc/cron.weekly to filelist, as this is now part of cron,
which we don't want to require
* Sat Apr 20 2019 Stefan <obs@botter.cc>
- revert setting of sbindir back to nagios_cgidir
* Sun Jan 20 2019 obs@botter.cc - 4.4.3
- update to 4.4.3
* Fixed services sending recovery emails when they recover if host in
down state (#572) (Scott Wilkerson)
* Fixed a make error when building on the aarch64 architecture (#598)
(Gareth Randall)
* Fixed --with-cgibindir and --with-webdir to actually set values given
(#585) (lawsontyler)
* Fixed soft recovery states for services (#575) (Jake Omann)
* Fixed XSS vulnerability in Alert Summary report (CVE-2018-18245, boo#1119832)
(Jake Omann)
* Fixed services in soft states sometimes not switching into hard states
(#576) (Jake Omann)
* Fixed last_state_change to update when a state goes from soft -> hard
state (#592) (Jake Omann)
* Fixed Map link always being set to undefined host and don't show link
for Nagios Process root note (#539) (Jake Omann)
* Fixed notifications sending when services went into hard state on a
down or unreachable host (#584) (Jake Omann)
* Fixed log_host_retries not logging the host soft state checks (#599)
(Jake Omann)
* Fixed stalking_options N option to properly log only when a
notification is actually sent (#604) (Jake Omann)
* Fixed issue with service status totals being zero when
servicegroup=all on servicegroup status page (#579) (Jake Omann)
* Fixed escalation notifications logic and recovery notifications not
going out (#582) (Jake Omann)
* Fixed not finding child index causing duplicate hosts showing in the
Map (#471) (Jake Omann)
* Fixed Map configuration popup checkboxes not working and Root Node
not populating (#543) (Jake Omann)
* Fixed cleanup and deinit of neb modules on reload (#573) (Jake Omann)
- rebase nagios-4.2.2-enable-ppc64le.patch (allow ppc64le builds in
contrib Makefile) to:
nagios-4.4.3-enable-ppc64le.patch
* Mon Oct 15 2018 aeszter@gwdg.de
- install /var/spool/nagios setgid nagcmd so external applications
like the webinterface can issue commands to nagios (boo#1028975)
* Mon Oct 15 2018 lars@linux-schulserver.de - 4.4.2
- update to 4.4.2
* Fix comment data being duplicated after a `service nagios reload`
or similar (#549) (Bryan Heden)
* Fix check_interval and retry_interval not changing at the
appropriate times (#551) (Scott Wilkerson)
* Fixed passive checks sending recovery email when host was
previously UP (#552) (Scott Wilkerson)
* Fixed flapping comments duplication on nagios reload (#554)
(Christian Jung)
* Fix for CVE-2018-13441, CVE-2018-13458, CVE-2018-13457 null
pointer dereference (Trevor McDonald) (boo#1101293, boo#1101289, boo#1101290)
* Fixed syntax error in file: default-init.in (#558) (Christian Zettel)
* Reset current notification number and state flags when the host recovers,
reset all service variables when they recover fixes (#557) (Scott Wilkerson)
* Fixed wrong counting of service status totals when showing
servicegroup details (#548) (Christian Zettel, Bryan Heden)
* Fixed avail.cgi not printing CSV output when checkbox is checked
(for any type: host/service/hostgroup/servicegroup) (#570) (Bryan Heden)
* Fixed nagios not logging SOFT state changes after 1 (Scott Wilkerson)
4.4.1 - 2018-06-25
* Revert some macro->kvvec changes causing problems when
`enable_environment_macros` was enabled (Bryan Heden)
* Adjust `process_macro_r` function logic so that it handles
macros properly (Bryan Heden)
* Fix spec file for systemd (Karsten Weiss, Fr3dY, Bryan Heden)
* Fix bug where `ssize_t` typedef to int on some systems (Bryan Heden)
4.4.0 - 2018-06-19
ENHANCEMENTS
* new status for check dependencies (John Frickson)
* Allow more flexible requirements for comments (John Frickson)
* Add a `statusCRITICALACK` class for the status column (John Frickson)
* CSV output based on groups (all options) (John Frickson)
* New Macro(s) to generate URL for host / service object to be
used in notifications (John Frickson)
* New Macro(s) to determine if host/service notifications are
enabled (#419) (Bryan Heden)
* New Macro(s) for obtaining the host/service notification
periods (#350) (Bryan Heden)
* enable_page_tour interface option (Bryan Heden)
* Code cleanups in important sections (Workers, Handling Results) (Bryan Heden)
* Automatic mail program detection (with same /bin/mail failback) (Bryan Heden)
* Incorporated [autoconf-macros](https://github.com/NagiosEnterprises/autoconf-macros)
into Core (Bryan Heden)
* Lots of enhancements/additions to configure/make process. (Bryan Heden)
+ Moved all files to startup/
+ Added upstart job
* Added system limit detection (RLIMIT_NPROC) to check for anticipated
fork() failures (#434) (Bryan Heden)
* Added stalking on notifications (`N` or `notifications` option when
specifying `stalking_options`) (#342) (Bryan Heden)
* Added automatic `systemctl daemon-reload` and `initctl reload-configuration`
where applicable on `make install-init` (Bryan Heden)
* Added case-insentive command submission. (#373) (Bryan Heden)
* Enabled `check_external_commands` by default (Bryan Heden)
FIXES
* Command line macro detection skips potential macros with no ending
dollar sign (Bryan Heden, Jake Omann)
* Fixed a lockup condition sometimes encountered on shutdown or restart (Aaron Beck)
* Fixed negative time offset calculations computing incorrectly sometimes (bbeutel)
* Fixed reloads causing defunct (zombie) processes (#441) (Bryan Heden)
* Fixed wait3(), wait4() implementations (replaced with waitpid()) (#326) (Bryan Heden)
* Fixed additive inheritance not testing for duplicates in
hosts/services/(+escalations) (#392) (Bryan Heden)
* Fixed very very (around 600k chars or greater) large plugin
output crashing Nagios (#432) (Bryan Heden)
* Fixed first_notification_delay not beeing calculated from
last_hard_state_change (#425) (Christian Zettel)
* Fixed duplicate downtime ID occuring from downtimes in retention
file (#506) (Franz [feisenko])
* Fixed segfault when navbarsearch was used in status.cgi for something
other than a host (#489) (Bryan Heden)
* Fixed some miscellaneous ./configure issues on Solaris (Bryan Heden, Troy Lea)
* Fixed "Locate host on map" link (#496) (Troy Lea)
* Fixed service groups defined with unknown service members
(that aren't first in the list) not erroring out (#500) (Bryan Heden)
* Fixed tac.cgi to have consistent behavior with the other cgis (#481)
(Bryan Heden, Matt Capra)
* Fixed clear_host/service_flapping command logic to broker/notify
properly (#525) (Bryan Heden, Karsten Weiss)
- removed upstreamed patches:
+ nagios-fix_spurious_dollar_signs_added_to_command_lines.patch
+ nagios-4.3.4-fix_memleak_4.3.3.diff
- refreshed patches:
+ nagios-4.0.6-remove-date-time.patch
+ nagios-4.1.0-add_KOHANNA.conf
+ nagios-4.2.2-enable-ppc64le.patch
+ nagios-disable_phone_home.patch
+ nagios-fix_encoding_trends.cgi.patch
+ nagios-output-length.patch
+ nagios-random_data.patch
* Tue Jun 05 2018 adaugherity@tamu.edu
- fix setting default values in nagios-exec-start-pre
Version: 4.3.4-bp150.1.3
* Thu Mar 08 2018 crrodriguez@opensuse.org
- remove unused xorg-x11-devel BuildRequires
* Tue Jan 30 2018 obs@botter.cc
- fix upstream issue #455, memleak introduced with 4.3.3
nagios-4.3.4-fix_memleak_4.3.3.diff
* Fri Dec 01 2017 lars@linux-schulserver.de
- update to 4.1.0 fixed boo#939829 already, mentioned here just
for reference
* Fri Dec 01 2017 lars@linux-schulserver.de
- fix a possible symlink attack for files/dirs created by root
fixes CVE-2016-8641 (bsc#1011630 and bsc#1018047)
- remove the pre-configured administrative account with fixed
password from the htpasswd file and provide an empty one instead
(fixes boo#961115 - CVE-2016-0726)
* Thu Nov 23 2017 rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
* Thu Oct 12 2017 sbrabec@suse.com
- Do not introduce new RPM group just for nagios-contrib.
Use established Development/Tools/Other instead.
* Wed Sep 13 2017 lars@linux-schulserver.de
- update to 4.3.4
* Improved config file parsing (Mark Felder)
* Fixed configure script to check for existence of /run for lock
file (in regards to CVE-2017-12847, Bryan Heden)
* Use absolute paths when deleting check results files (Emmanuel Dreyfus)
* Add sanity checking in reassign_worker (sq5bpf)
* xodtemplate.c wrong option-deprecation code warning (alex2grad / John Frickson)
* On-demand host check always use cached host state (John Frickson)
* 'á' causes Serivce Status Information to not be displayed (John Frickson)
* New Macro(s) to generate URL for host / service object (John Frickson)
* Fix minor map issues (Troy Lea)
* Fix lockfile issues (Bryan Heden)
* Switch order of daemon_init and drop_priveleges (CVE-2017-12847, Bryan Heden)
* Add an OpenRC init script (Michael Orlitzky)
- only require insserv on older SUSE distributions
* Wed Jun 07 2017 lars@linux-schulserver.de
- update to 4.3.2
FIXED
* Every 15sec /var/log/messages is flooded with
"nagios: set_environment_var" (John Frickson)
* Changed release date to ISO format (yyyy-mm-dd) (John Frickson)
* `make all` fails if unzip is not installed (John Frickson)
* Quick Search no longer allows search by Alias (John Frickson)
* flexible downtime on a service immediately turns off notifications
(John Frickson)
* Fix to allow url_encode to be called twice (Z. Liu)
* Update timeperiods.cfg.in (spelling) (Parth Laxmikant Kolekar)
* Spelling fixes (Josh Soref)
* Vent command pipe before remove to avoid deadlocks on
writing end (Kai Kunstmann)
* CGI utility cgiutil.c does not process relative config file
path names properly (John Frickson)
* xdata/xodtemplate.c bug in option-deprecation code (John Frickson)
* Wildcard searching causes service status links to not work properly
(John Frickson)
* Quick search with no hits shows a permission denied error (John Frickson)
* Setting a service as its own parent is not caught by the sanity
checker (-v) and causes a segfault (John Frickson)
- removed nagios-4.3.1-remove-flooding-messages.patch (fixed upstream)
* Mon Mar 06 2017 obs@botter.cc
- fix upstream issue #337: remove debugging messages:
nagios-4.3.1-remove-flooding-messages.patch
* Fri Feb 24 2017 lars@linux-schulserver.de
- Update to 4.3.1
SECURITY FIXES
* Fix for CVE-2016-6209 - The "corewindow" parameter (as in
http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by
default. See the UPGRADING document for how to enable it. (John Frickson)
FIXES
* Service hard state generation and host hard or soft down status (John Frickson)
* Comments are duplicated through Nagios reload (John Frickson)
* host hourly value is incorrectly dumped as json boolean (John Frickson)
* Bug - Quick Search no longer allows search by IP (John Frickson)
* Config: status_update_interval can not be set to 1 (John Frickson)
* Check attempts not increasing if nagios is reloaded (John Frickson)
* nagios hangs on reload while sending external command to cmd file (John Frickson)
* Feature Request: return code xxx out of bounds - include message as well (John Frickson)
* Fix early event scheduling (pmalek / John Frickson)
* on-demand host checks triggered by service checks cause attempt number increments (fredericve)
* Service notification not being send when host is in soft down state (John Frickson)
* configure does not error if no perl installed on CentOS 7 (John Frickson)
* failed passive requests leave .ok files in checkresults dir (caronc)
* Services don't show in status.cgi if "noheader" specified (John Frickson)
* Standardized check interval config file names (John Frickson)
* "Event Log" (showlog.cgi) could not open log file (John Frickson)
* "nagios_check_command" has been deprecated since v3.0. Last vestiges
removed (John Frickson)
ENHANCEMENTS
* Added new flag to cgi.cfg: tac_cgi_hard_only to show only HARD
states (John Frickson)
* Add broker-event for the end of a timed event (NEBTYPE_TIMEDEVENT_END) (John Frickson)
* There is no Macro to retrieve addresses of hostgroup members
(now $HOSTGROUPMEMBERADDRESSES$) (John Frickson)
* Add "Page Tour" videos to several of the core web pages (John Frickson)
* Added a login page, and a `Logoff` links (John Frickson)
* On the status map, the host name will be colored if services are
not all OK. (John Frickson)
* Added "Clear flapping state" command on host and services
detail pages. (John Frickson)
* User-entered comment now displays below generated comment for
downtime (John Frickson)
- refreshed patches
* Sun Dec 11 2016 lars@linux-schulserver.de
- update to 4.2.4
SECURITY FIXES
* Fixed another root privilege escalation (CVE-2016-9566) Thanks for
bringing this to our attention go to Dawid Golunski
(http://legalhackers.com).
* Tue Nov 29 2016 lars@linux-schulserver.de
- update to 4.2.3
SECURITY FIXES
* Fixed a root privilege escalation (CVE-2016-8641) (John Frickson)
FIXES
* external command during reload doesn't work (John Frickson)
* Nagios provides no error condition as to why it fails on the
verify for serviceescalation (John Frickson)
* No root group in FreeBSD and Apple OS X (John Frickson)
* jsonquery.html doesn't display scheduled_time_ok correctly (John Frickson)
* daemon_dumps_core=1 has no effect on Linux when Nagios
started as root (John Frickson)
* Configuration check in hostgroup - misspelled hostname does
not error (John Frickson)
* contacts or contact_groups directive with no value should not
be allowed (John Frickson)
* Compile 64-bit on SPARC produces LD error (John Frickson)
* HOSTSTATEID returns 0 even if host does not exist (John Frickson)
* Submitting UNREACHABLE passive result for host sets it as DOWN
if the host has no parents (John Frickson)
* nagios: job XX (pid=YY): read() returned error 11 (changed from
LOG_ERR to LOG_NOTICE) (John Frickson)
* Fix for quick search not showing services if wildcard used
(John Frickson)
* Wed Nov 09 2016 jengelh@inai.de
- use faster find variants
* Tue Nov 08 2016 lars@linux-schulserver.de
- allow ppc64le builds in contrib Makefile:
nagios-4.2.2-enable-ppc64le.patch
* Tue Oct 25 2016 lars@linux-schulserver.de
- update to 4.2.2
SECURITY
+ There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release
on August 1, 2016. The fix was apparently incomplete, as there was
still a problem. However, we are now getting all RSS feeds using AJAX
calls instead of the (outdated) MagpieRSS package. Thanks for bringing
this to our attention go to Dawid Golunski (http://legalhackers.com).
ENHANCEMENTS
+ Update status.c to display passive check icon for hosts when
passive checks are enabled and actives disabled
FIXES
+ Fix permissions for Host Groups reports (status.cgi)
+ Service Parents does not appear to be functioning as intended
+ Availability report mixes up scheduled and unscheduled warning percentages
+ Invalid values for saved_stamp in comput_subject_downtime_times()
+ Remove deprecated ?framespacing?
+ The nagios tarball contains two identical jquery copies
+ extinfo.cgi does not set content-type (most cgi?s don?t)
+ Timeperiods are corrupted by external command CHANGE_SVC_CHECK_TIMEPERIOD
+ Quick search doesn?t show hosts without services (service status detail page)
+ In host/services details view, if exactly 100 entries would not show last one
+ nagios host URL parameter for NEW map doesn`t work ? Network Map for All Hosts
+ next_problem_id is improperly initialized
+ Passive problems not showing as ?unhandled?
+ September reported as Sept instead of Sep
+ Notifications are not sent for active alerts after scheduled downtime ends
+ Nagios 4.2.0 not working on Solaris
+ install-exfoliation and install-classicui don?t work FreeBSD and Mac OS X
+ Updated makefile to delete some no-longer-needed files
* Tue Sep 06 2016 lars@linux-schulserver.de
- update to 4.2.1
FIXES
+ Fix undefined variable php error (John Frickson)
+ Links on the sidebar menu under 'Problems' are indented too far
+ Using $ARGn$ Macros in perfdata (John Frickson)
+ using a wildcard in search returns service status total all zero's
+ read_only does not take priority (deppy)
+ Running nagios -v on 4.2.0 takes 90+ seconds (John Frickson)
+ Missing Image for Host and Service State Trends in Availability Report
+ Maintain non-persistent comments through reload (John Frickson)
+ Servicegroup availability report ignores includesoftstates in
service report links (PriceChild)
+ error: format not a string literal and no format arguments (Karsten Weiss)
- ignore rpmlint warnings about tmpfile creating/listing: this is
handled, but not properly detected by rpmlnt
* Fri Sep 02 2016 lars.vogdt@suse.com
- update to 4.2.0
SECURITY FIXES
+ Fixed vulnerability CVE-2008-4796 (John Frickson)
+ Fixed vulnerability CVE-2013-4214 (John Frickson)
+ web interface vulnerable to Cross-Site Request Forgery attacks
ENHANCEMENTS
+ Increase socket queue length for listen()
+ Added host name to the website page title (leres / John Frickson)
+ Added additional icons for NetBSD and SuSE (John Frickson)
+ The new Status Map will now use cgi.cfg options (John Frickson)
default_statusmap_layout will default to "6" for the new map
+ The new Status Map will now show some valid values in the
popup for "Nagios Process" (John Frickson)
FIXES
+ Network outage view without access to all hosts (John Frickson)
+ Core workers looping (John Frickson)
+ service query returns duplicate host_name and description
fields in the returned data (John Frickson)
+ HTML output of plug-ins is parsed in wrong way => webgui
unusable (John Frickson)
+ Command worker fails to handle SIGPIPE
+ "View Status" links under "Map" broken in Nagios Core
Version 4.1.1 (John Frickson)
+ Can't send big buffer - wproc: Core Worker seems to be choked
+ Too big CPU load on FreeBSD and other systems using poll() interface
+ Flexible downtime recorded as unscheduled downtime (John Frickson)
+ Service Flexible downtimes produce 1 notification before entering
+ Once you "set flap_detection_enabled 0" it should remove flapping
state from the host/services page (John Frickson)
+ New map doesn't finish loading if a logo image is not found
+ Extraneous Div end tag in map.html (Scott Wilkerson)
+ Issue with "Problems" section (John Frickson)
+ Status Map icons and online/offline status dots disappear in IE11
+ New network map overlays the nagios process with objects
+ Added Default-Start and Default-Stop to the init script
+ Compile / logging issues with BSD 6
+ Related to above, Fixed a lot of incorrectly handled
time_t's in *printf's
+ New map not working for RU locale (actually, most locales)
+ Replaced all instances of signal() with sigaction() + blockig
+ UTF-8 characters like german ä are not processed properly by
function url_encode (John Frickson)
+ nagios worker processes can hog CPU (huxley / John Frickson)
+ custom time periods that include special characters were not
being handled in reports (John Frickson)
+ Fixed init script to wait up to 90 seconds then kill the
nagios process (John Frickson)
+ No Host Groups results in wrong error message (John Frickson)
+ Setup Nagios users to view specific host is not working in the
new network map (John Frickson)
+ statusjson.cgi fails glibc realloc truncate response output (John Frickson)
+ Report Time Period does not work if an @ character is in
the timeperiod name (John Frickson)
+ State History does not use actual plugin long_output (John Frickson)
+ Time period corruption (xoubih)
+ Tactical Overview - Disabled Flap Detection Link (John Frickson)
- add /var/run/nagios as ghost directory
* Fri Oct 16 2015 adaugherity@tamu.edu
- Fix nagios-www: keep nagios-www-dch from owning html files shipped with
Nagios.
- Remove unused NAGIOSDCH apache flag.
* Mon Sep 21 2015 aj@ajaissle.de
- Update to 4.1.1
FIXES
* CGI Could not read object configuration data (broken by error in 4.1.0)
* exclude (!) not working (broken by mis-applied fix for 4.1.0)
- Dropped patch nagios-issue_71.patch (included in sources)
* Wed Sep 02 2015 archie@dellroad.org
- Add nagios-issue_71.patch
* Fixes "CGI Could not read object configuration data" (boo#944102)