Changelog (Werks)
The software development of Checkmk is organized in so-called Werks. A Werk is any change or bug fix that has an influence on the user's experience. Each Werk has a unique ID, one of the levels Trivial Change, Prominent Change or Major Feature and one of the classes Bug Fix, Feature or Security Fix.
Whenever you make an update to a new Checkmk version please make sure that you have understood all incompatible changes. You might have to adapt your configuration.
Want to get notifications for new versions, new werks or subscribe to the security mailing list? Sign up here.
- #16172kaspersky_av: Don't run kav4fs-control or kesl-control if they aren't owned by root
- #16173symantec_av: Don't run sav command if it isn't owned by root
- #16198mk_informix: Do not allow privilege escalation
- #16232mk_oracle(ps1): Prevent privilege esclation to root
- #16234Hide credentials in ps output for mk_oracle
- #13723Fix permission check when editing a report
- #13724Remove legacy macro expansion in Event Console script actions
- #13725Update openssl to 1.1.1n
- #13897Fix command injection vulnerability
- #13898Update stunnel to 5.63
- #13899Notification spooler: Support for TLS authentication
- #13900Update Pillow and Paramiko
- #13901Update openssl to 1.1.1o
- #13902Secure path for OMD hooks
- #13903Introduce additional CSRF checks
- #13904Update vulnerable Python dependencies
- #14087Fix privilege escalation vulnerability
- #14098Fix ownership of debian maintainer scripts for shipped agent package
- #14261Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs
- #14281Fix local privilege escalation from site users
- #14291NagVis: Updated to 1.9.34 (Fix security issues)
- #14376Mask passwords in rule export
- #14378Mask passwords in REST API responses
- #14381Fix command injection in SMS notification script
- #14382Don't leak LDAP server address when connection fails
- #14383Fix code injection in watolib
- #14384Fix command injection in livestatus query headers
- #14385Fix limited SSRF in agent-receiver API
- #14391Require password change for old password hashes
- #14476Update python-ldap
- #14477Sanitize SiteConfiguration before logging it
- #14478Restrict path param in cookies
- #14479Update openssl to 1.1.1p
- #14480Update openssl to 1.1.1q
- #14482Use proper HMAC for cookie signing
- #14485Fix session cookie validation on RestAPI
- #14509add authentication to REST API documentation
- #14871Windows agent's ProgramData directory is accessible only with admins permissions
- #14916Do not log host secret
- #14918Change base image of docker container
- #14919Do not log host secret (2)
- #14924Fix CSRF in add-visual endpoint
- #14965Dedicated CA for agent certificates
- #15065Path-Traversal in MKP storing
- #15068Fix improper certificate validation in agent updater
- #15069Fix Email HTML Injection
- #15183Drop support for outdated password hashing schemes