Add patches to xymon from the xymon code repository to fix compatibility
issues in 4.3.29.
Upstream changelog:
Changes for 4.3.29
==================
Several buffer overflow security issues have been resolved, as well as
a potential XSS attack on certain CGI interfaces. Although the ability
to exploit is limited, all users are urged to upgrade.
The assigned CVE numbers are:
CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
In addition, revisions have been made to a number of places throughout
the code to convert the most common sprintf statements to snprintf for
safer processing, which should reduce the impact of similar parsing.
Additional work on this will continue in the future.
The affected CGIs are:
history.c (overflow of histlogfn) = CVE-2019-13451
reportlog.c (overflow of histlogfn) = CVE-2019-13452
csvinfo.c (overflow of dbfn) = CVE-2019-13273
csvinfo.c (reflected XSS) = CVE-2019-13274
acknowledge.c (overflow of msgline) = CVE-2019-13455
appfeed.c (overflow of errtxt) = CVE-2019-13484
history.c (overflow of selfurl) = CVE-2019-13485
svcstatus.c (overflow of errtxt) = CVE-2019-13486
We would like to thank the University of Cambridge Computer Security
Incident Response Team for their assistance in reporting and helping
resolve these issues.
Additional Changes:
On Linux, a few additional tmpfs volumes are ignored by default
on new (or unmodified) installs. This includes /run/user/<uid>,
which is a transient, per-session tmpfs on some systems. To re-
enable monitoring for this (if you are running services under
a user with a login session), you may need to edit the analysis.cfg(5)
file.
After upgrade, these partitions will no longer be alerted on or
tracked, and their associated RRD files may also be removed:
/run/user/<uid> (but NOT /run)
/dev (but NOT /dev/shm)
/sys/fs/cgroup
/lib/init/rw
The default hard limit for an incoming message has been raised from
10MB to 64MB
The secure apache config snippet no longer requires a xymongroups file
to be present (and module loaded), since it's not used by default. This
will not affect existing installs.
A --no-cpu-listing option has been added to xymond_client to suppress the
'top' output in cpu test status messages.
The conversation used in SMTP checks has been adjusted to perform a proper
"EHLO" greeting against servers, using the host string 'xymonnet'. If the
string needs to be adjusted, however, see protocols.cfg(5)
"Actual" memory usage (as a percentage) may be >100% on some platforms
in certain situations. This alone will not be tagged as "invalid" data
and should be graphed in RRD.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
notable changes: OpenSSL 1.1.0 is now supported, and c-ares has been updated
While touching the package anyhow, it has been taught to pass down hardening
flags, so that the various PKGSRC_USE_ flags now have effect.
Upstream relnotes:
Changes for 4.3.27
==================
Fixes for CGI acknowledgements and NK/criticalview web redirects.
Xymon should now properly check for lack of SSLv3 (or v2) support at compile-
time and exclude the openssl options as needed.
Completely empty directories (on Windows) are no longer considered errors.
Changes for 4.3.26
==================
This is mostly a bug fix release for javascript issues on the info and
trends pages, along with the enable / disable CGI. Several browsers had
difficulty with the new CSP rules introduced in 4.3.25.
XYMWEBREFRESH is now used as the default refresh interval for dynamic
status pages and various other xymongen destinations. Non-svcstatus
pages can be overridden by altering the appropriate *_header template
files, but svcstatus refresh interval uses this value. (default: 60s)
Set in xymonserver.cfg(5).
Incoming test names are now restricted to alphanumeric characters, colons
dashes, underscores, and slashes. Slashes and colons may be restricted in
a future release.
Unconfigured (ghost) host names are now restricted to alphanumerics, colons,
commas, periods, dashes, and underscores. It is strongly recommended to use only
valid hostnames and DNS components in servers names.
Files matched multiple times by logfetch in the client config retrieved
from config-local.cfg (such as a file matching multiple globs) will now only
be scanned once and only use the ignore/trigger rules from its first entry.
(Note: A future version of Xymon may combine all matching rules for a file together.)
CLASS groupings in analysis.cfg and alerts.cfg will now reliably work for
hosts with a CLASS override in hosts.cfg. Previous, this class was not used
in favor of the class type sent in on any specific client message.
The following security issues are fixed with this update:
* Resolve buffer overflow when handling "config" file requests (CVE-2016-2054)
* Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory
(symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename
end in '.cfg' by default
* Resolve shell command injection vulnerability in useradm and chpasswd CGIs
(CVE-2016-2056)
* Tighten permissions on the xymond BFQ used for message submission to restrict
access to the xymon user and group. It is now 0620. (CVE-2016-2057)
* Restrict javascript execution in current and historical status messages by
the addition of appropriate Content-Security-Policy headers to prevent XSS
attacks. (CVE-2016-2058)
* Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script.
Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.
* Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by
eliminating the shell script CGI wrappers
Please refer to
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download
for further information on fixes and new features.
The find-prefix infrastructure was required in a pkgviews world where
packages installed from pkgsrc could have different installation
prefixes, and this was a way for a dependency prefix to be determined.
Now that pkgviews has been removed there is no longer any need for the
overhead of this infrastructure. Instead we use BUILDLINK_PREFIX.pkg
for dependencies pulled in via buildlink, or LOCALBASE/PREFIX where the
dependency is coming from pkgsrc.
Provides a reasonable performance win due to the reduction of `pkg_info
-qp` calls, some of which were redundant anyway as they were duplicating
the same information provided by BUILDLINK_PREFIX.pkg.
fix inode check result rrd handling for all BSDish systems; if you use
xymon-4.3.17nb1 on *BSD you may have lots of inode<number>.rrd files
in /var/xymon/rrd, since it used iavail instead of the name of the
filesystem mount to identify the inode usage stats.
Also contains the inode check expansion for NetBSD from PR 48575
Upstream changelog:
Changes for 4.3.15 - 4.3.17
===========================
No significant changes.
Changes for 4.3.14
==================
In previous Xymon versions, a client-only configuration (i.e. one
configured with "./configure --client") would place the client
files in a "client" subdirectory below the directory specified
during configuration. This is the same directory layout as a server
installation, where the server and client parts of Xymon are
in separate subdirectories.
In 4.3.14, the default has changed so a client-only installation
now installs in the directory given during the configure-step.
The "/client" has been eliminated, so if you are upgrading an
existing client you must either move the old client installation
one level up from the "client/" directory, or change the Makefile
generated by "configure --client" and add "/client" to the
XYMONTOPDIR setting.
The SNI support added in 4.3.13 causes problems with some older
webservers, whose SSL implementation cannot handshake correctly
when SNI is used. The failed handshake causes Xymon to report
the site as down. In 4.3.14, the default is changed so SNI is
disabled. A new "--sni" option was added to xymonnet to control the
default setting, and two new tags "sni" and "nosni" can be used in
hosts.cfg to control SNI for each host that is tested.
Changes for 4.3.13
==================
This is mostly a bugfix release. Apart from simple bugs (see
the Changes file), there are some enhancements:
Alerts sent via e-mail have <CR><NL> line-endings converted
to plain <NL>, since the carriage-return characters would
cause some mailers to send alerts as a (binary) attachment
to an empty mail message.
https-URL's can be forced to use TLS only, by using
"httpst://..." similar to how SSLv2 and SSLv3 can be chosen.
SSL connections (e.g. for https URL's) now use the TLS
"Server Name Indication" (SNI) if your OpenSSL library
supports it. This allows testing of systems that have
multiple SSL websites located on the same physical IP+port
(i.e. virtual name-based hosts).
Changes for 4.3.12
==================
NOTE: This release includes a bugfix for a security issue
in the xymond_history and xymond_rrd modules. A "drophost"
command sent to the xymond port (default: 1984) from an IP
listed in the --admin-senders access control list can be
used to delete files owned by the user running the xymond
daemon. This is allowed by default, so it is highly recommended
to install this update.
Changes for 4.3.2 - 4.3.11
==========================
See the Changes file for a list of significant changes.
These releases are mostly to fix bugs.
NOTE: Some configuration parameters have changed, so you must
regenerate the top-level Makefile by running the "configure"
script before compiling the new version.
The inode-check introduced in 4.3.8 and 4.3.10 requires
that you update both the Xymon server installation and the
Xymon client on the systems where you want to monitor how
many inodes are being used.
to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
- update to newest version
Upstream changelog:
Xymon release 4.3.10 - released on Aug 6 2012
=============================================
Main features in this release is the addition of inode-checks
on all major platforms, and a series of enhancements to the
build procedure.
Also, building Xymon on most common platforms is now explicitly
described in the "install" document.
* Fix build problems with "errno"
* Fix build problems with OpenSSL in non-default locations
* Fix build problems with certain LDAP configurations
* Fix build problems with RRDtool on FreeBSD / OpenBSD
* Fix problem with ifstat data from Fedora in graphs
* "inode" check on FreeBSD, OpenBSD, OSX, Solaris, HP/UX, AIX
in addition to existing support for Linux
* Document building and installing Xymon on common platforms
(Linux, FreeBSD, OpenBSD, Solaris)
* Enhance xymoncfg so it can be used to import Xymon configuration
settings into shell-scripts.
Xymon release 4.3.9 - released on Jul 24 2012
=============================================
This release is mainly a bug-fix release.
* Fix crash when XYMSRV is undefined but XYMSERVERS is
* Fix error in calculating combo-status messages with
forward references
* Fix error in disable-until-TIME or disable-until-OK code
* Fix documentation of DURATION in alerts.cfg / xymond_alert so
it is consistenly listed as being in "minutes".
* Permit explicit use of ">" and ">=" in alerts.cfg
* Permit building without the RRDtool libraries, e.g. for
a network-tester build, but with trend-graphing disabled.
* Full compiler-warning cleanup
* Various configuration/build-script issues fixed.
Xymon release 4.3.8 - released on Jul 15 2012
=============================================
This release is mainly a bug-fix release.
Bugfixes
* Workaround for DNS timeout handling, now fixed at approximately 25
seconds.
* "hostinfo" command for xymond documented
* confreport only shows processes that are monitored
* analysis.cfg parsing of COLOR for UP rules was broken
* RRD handlers no longer crash after receiving 1 billion updates
* Using .netrc for authentication could crash xymonnet
* "directory" includes would report the wrong filename for missing
directories.
* useradm CGI would invoke htpassword twice
* "include" and "directory" now ignores trailing whitespace
* SSLv2 support disabled if SSL-library does not support it
* Minor bugfixes and cleanups of compiler warnings.
Enhancements
* Service status on info page now links to the detailed status page.
* Add RRDGRAPHOPTS setting to permit global user-specified RRD options,
e.g. for font to showgraph CGI
* Add check for the size of public keys used in SSL certificates
(enabled via --sslkeysize=N option for xymonnet)
* Optionally disable the display of SSL ciphers in the sslcert status
(the --no-cipherlist option for xymonnet)
* Improved build-scripts works on newer systems with libraries in
new and surprising places
* Reduce xymonnet memory usage and runtime for ping tests when there
are multiple hosts.cfg entries with the same IP-address.
* Add code for inode-monitoring on Linux. Does not currently work on
any other client platform.
* Added the ability to disable tests until a specific time, instead of
for some interval. Disabling a test also now computes the expire time
for the disable to happen at the next closest minute.
* Add Makefile.DragonFly
* Fix sha2.c #include <stdint.h>.
On last, nothing sets HAVE_STDINT_H and passing -DHAVE_STDINT_H through
cflags fails. Just switch it based on __FreeBSD__ and __DragonFly__.
