          <<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>
           * * *   Release notes for Xymon 4.3.30   * * *
          <<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>


This documents the important changes between Xymon releases, i.e.
changes you should be aware of when upgrading.

For a full list of changes and enhancements, please see the 
Changes file.


Changes for 4.3.30
==================

Various crashes and bugs relating to string handling changes have been fixed, 
including problems with hostnames with dashes in them.

Combostatus tests propagated up from other combostatus tests should now
display properly.


Changes for 4.3.29
==================

Several buffer overflow security issues have been resolved, as well as a potential
XSS attack on certain CGI interfaces. Although the ability to exploit is limited, 
all users are urged to upgrade. The assigned CVE numbers are:

  CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, 
  CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486

In addition, revisions have been made to a number of places throughout 
the code to convert the most common sprintf statements to snprintf for 
safer processing, which should reduce the impact of similar parsing. 
Additional work on this will continue in the future.

The affected CGIs are:

	history.c (overflow of histlogfn) = CVE-2019-13451
	reportlog.c (overflow of histlogfn) = CVE-2019-13452
	csvinfo.c (overflow of dbfn) = CVE-2019-13273
	csvinfo.c (reflected XSS) = CVE-2019-13274
	acknowledge.c (overflow of msgline) = CVE-2019-13455

	appfeed.c (overflow of errtxt) = CVE-2019-13484
	history.c (overflow of selfurl) = CVE-2019-13485
	svcstatus.c (overflow of errtxt) = CVE-2019-13486

We would like to thank the University of Cambridge Computer Security 
Incident Response Team for their assistance in reporting and helping 
resolve these issues.


Additional Changes:

On Linux, a few additional tmpfs volumes are ignored by default
on new (or unmodified) installs. This includes /run/user/<uid>,
which is a transient, per-session tmpfs on some systems. To re-
enable monitoring for this (if you are running services under
a user with a login session), you may need to edit the analysis.cfg(5)
file.

After upgrade, these partitions will no longer be alerted on or
tracked, and their associated RRD files may also be removed:

 /run/user/<uid> (but NOT /run)
 /dev (but NOT /dev/shm)
 /sys/fs/cgroup
 /lib/init/rw


The default hard limit for an incoming message has been raised from 
10MB to 64MB

The secure apache config snippet no longer requires a xymongroups file
to be present (and module loaded), since it's not used by default. This
will not affect existing installs.

A --no-cpu-listing option has been added to xymond_client to suppress the 
'top' output in cpu test status messages.

The conversation used in SMTP checks has been adjusted to perform a proper
"EHLO" greeting against servers, using the host string 'xymonnet'. If the 
string needs to be adjusted, however, see protocols.cfg(5)

"Actual" memory usage (as a percentage) may be >100% on some platforms 
in certain situations. This alone will not be tagged as "invalid" data and
should be graphed in RRD.


Changes for 4.3.28
==================

OpenSSL 1.1.0 is now supported.

Specific TLS variants (1.0, 1.1, and 1.2) can be selected for 
an HTTP test using new protocol tags (see hosts.cfg(5))
OpenSSL 1.0.1+ is required.


The bundled version of c-ares (for hosts without a system lib)
has been updated to 1.12.0

Xymond_alert should now provide more stable behavior when hosts
are dropped or alerts go stale between launches.

Summary messages are properly working again.

SCRIPT message sizes are now limited only by environment memory
and can be increased by adding a MAXMSG_ALERTSCRIPT variable to
your xymonserver.cfg file

A number of typos have been corrected.

The RRD definition for the netstat graph has been tweaked to
give a more readable layout.


Changes for 4.3.27
==================

Fixes for CGI acknowledgements and NK/criticalview web redirects.

Xymon should now properly check for lack of SSLv3 (or v2) support at compile-
time and exclude the openssl options as needed.

Completely empty directories (on Windows) are no longer considered errors.


Changes for 4.3.26
==================

This is mostly a bug fix release for javascript issues on the info and 
trends pages, along with the enable / disable CGI. Several browsers had
difficulty with the new CSP rules introduced in 4.3.25.

XYMWEBREFRESH is now used as the default refresh interval for dynamic
status pages and various other xymongen destinations. Non-svcstatus 
pages can be overridden by altering the appropriate *_header template
files, but svcstatus refresh interval uses this value. (default: 60s)
Set in xymonserver.cfg(5).

Incoming test names are now restricted to alphanumeric characters, colons
dashes, underscores, and slashes. Slashes and colons may be restricted in 
a future release.

Unconfigured (ghost) host names are now restricted to alphanumerics, colons, 
commas, periods, dashes, and underscores. It is strongly recommended to use only
valid hostnames and DNS components in servers names.

Files matched multiple times by logfetch in the client config retrieved
from config-local.cfg (such as a file matching multiple globs) will now only 
be scanned once and only use the ignore/trigger rules from its first entry.
(Note: A future version of Xymon may combine all matching rules for a file together.)

CLASS groupings in analysis.cfg and alerts.cfg will now reliably work for
hosts with a CLASS override in hosts.cfg. Previous, this class was not used
in favor of the class type sent in on any specific client message.


Changes for 4.3.25
==================

Several security issues have been resolved relating to "config" messages 
and Cross-Site-Scripting vulnerabilities in the web interface. We would 
like to thank Markus Krell for reporting the following security issues 
and for his assistance in working with us to resolve them.


(CVE-2016-2054) - Buffer overflow when handling "config" file requests.
(CVE-2016-2056) - Shell command injection vulnerability in useradm.sh 
and chpasswd.sh.

(CVE-2016-2055) - Credential leakage with "config" file requests.
The default suggested location for htpasswd files used in securing the
CGI interface had been $XYMONHOME/etc/ and documentation did not mention
that this file should ONLY be readable by the apache/webserver user.

Administrators should verify this file is not readable by the xymon user 
and modify ownership and permissions as needed. Additionally, the 
following restrictions have been added to files requested via "config" 
messages sent to xymond:

 - They must be regular files as returned by stat (no symlinks)
 - They must end in ".cfg"

The restriction on file names ending in ".cfg" can be overridden by setting 
ALLOWALLCONFIGFILES="TRUE" in xymonserver.cfg and restarting xymond.

Note that config files are processed through normal xymon file reading, 
so features such as "include" and "directory" still work when retrieving 
files over the network. These included files are not subject to the same 
restrictions.


(CVE-2016-2057) - The xymond feedback queue (or BFQ) had been being 
created using insecure permissions, allowing any local user to write 
messages into the queue. This has been resolved and the queue is now 
created 0620 to the xymon user. If present xymond will attempt to 
re-create it using the correct permissions, but this process may not 
succeed on all OS's. Administrators should verify queue permissions 
using ipcs and delete the key manually with ipcrm if needed.


(CVE-2016-2058) - Dynamic and historical status pages generated by the 
CGI interface now include Content-Security-Policy headers to prevent 
javascript execution from the payload of status messages themselves. The 
built-in functionality can be overridden by setting XYMON_NOCSPHEADER in 
xymonserver.cfg, if you wish to override this via an apache 
configuration.


Additional changes:


A bug introduced in 4.3.22 that could cause xymond_alert to fail to
alert after seeing an unknown (newly added) host alert for the 
first time has been fixed. Additionally, xymond_alert now regularly
reloads the hosts.cfg file to pick up changes.


The "Actual" memory value on Windows systems will be reported
more accurately. (Thanks, John Rothlisberger)

A trends_header and trends_footer have been added in the /web/
templates directory for use on trends display pages.

The xymonclient.cfg file now has a section for passing options
to xymond_client and logfetch without having to edit the script.

The logfetch command now accepts --noexec as an option to inhibit
running commands from the client config used to list files to scan
for messages.

The logfetch command can use a file glob(7) in client-local.cfg (or 
localclient.cfg) indicated by angle brackets. This is more efficient
and more secure than executing an `ls` command when matching known
file or log patterns.

The xymon.sh script now better matches LSB exit code expectations.

The --processor argument to xymond_rrd, allowing RRD data (ie, metrics) 
to be easily sent to an external system such as OpenTSDB has been 
properly documented.


All users of previous versions are strongly urged to upgrade.


Changes for 4.3.24
==================

Fixes a bug introduced in 4.3.22 where the non-excepted HTTP status 
codes were always seen as Critical instead of OK/Warning as intended.

All users are urged to upgrade.


Changes for 4.3.23
==================

Fixes a bug in 4.3.22 where RRD tracking of number of matching processes or
ports open on a client was not being performed.


Changes for 4.3.22
==================

The default rules for HTTP response codes have been simplified and made more
generic:
    1xx = Warning (when the final code received)
    2xx = OK
    3xx = Warning (except 302/303/307 = OK)
    4xx = Critical
    5xx = Critical

The specific changes from previous versions are:
 - 401 and 403 response codes are now considered Critical (were OK)
 - 301 Permanent Redirect response code is now considered a Warning (was OK)
 - "Extended" or new HTTP status codes in the 4xx and 5xx range
   are now considered Critical (unknown codes were previously a Warning)

In the case of 301, 401, and 403 HTTP codes, if you're expecting to receive
this HTTP status from a URL query, you should add the code explicitly to
the check by using the "httpstatus" syntax (see hosts.cfg(5)).
Basic HTTP Authentication is supported for testing logins to a site.

*** Special note: Many vendor-supplied default "Welcome" pages on unconfigured
apache servers are actually generated by a 403 error handler. Generically
testing for these pages will now show a red status instead of a green one. To
fix, simply place an index.html page at the root of the site so that 403's are
not generated.


The 'sslcert' test will now indicate the signature algorithm and cipher 
that was actually used in the connection, instead of a list of all ciphers. 
Use --showallciphers to restore the previous behavior.


On new installs, the default apache configuration no longer requires a trailing
slash when accessing the xymon pages. http://www.example.com/xymon will work.


NTPDATEOPTS, FPINGOPTS, and TRACEROUTEOPTS variables are now present in
xymonserver.cfg and will override the default options for the associated
xymonnet calls.

Note: The suggested options to 'traceroute' were never actually used as 
the default on a standard installation. In a future release, 
'-n -q 2 -w 2 -m 15' may be used unless overridden or otherwise specified.


Darwin clients (Mac OS X) now exclude AFS and read-only volumes (which are 
usually just mounted disk images) from processing, properly handle volumes with
spaces in their names, and correctly process inode details.


A chpasswd.sh file is now provided which allows a logged-in user to 
change their own .htpasswd password (after verification). Because it 
verifies their existing password first, it requires the '-v' option to 
htpasswd, which is only available in Apache 2.4.5 or higher.

By default, it is installed in the /xymon-seccgi/ directory, but can be 
moved to the /xymon-cgi/ directory to allow all users to change their 
password. Basic input validation is provided, but this CGI should be 
used with caution and only with relatively-trusted user bases.


xymongen used to skip over host groups on pages when it calcuated that
there were no test results to be displayed in that table. These groups are
now displayed, but you can restore the previous behavior by passing it
the --no-showemptygroups option.


Changes for 4.3.21
==================
RSS feeds should now display the short description of the event again.


Changes for 4.3.20
==================
Remote summaries display had been broken for a while but should now be working
again. Summaries are now also displayed on the nongreen.html page

The "Actual Used" memory figure on recent Linux kernels is now taken from
the "Available" memory reported back from free (or /proc/meminfo), which should
give a more accurate response. Physical Memory Used is still reported as the 
combination of Kernel Physical Use + buffers/cache, however this may change in
a future release.

Documentation for various directives in hosts.cfg(5) has been added

pulldata=IP:PORT directives are honored, if the defaults for the host are
incorrect

cgiwrap is now installed via hardlinking (or as packaged); FollowSymLinks 
is no longer needed for the xymon cgi-bin directories and can be removed.

Planned downtime settings are now applied to 'purple' statuses as well

http checks can now be performed using a HEAD request if desired.

Which RRD graphs are displayed on a status page can now be customized on
a per-test basis through the use of environment variables. For example,
GRAPHS_cpu="la,vmstat1" will cause an additional graph to be shown on 
cpu tests. (Submitted by Werner Maier)

A new column will be displayed on all xymon pages allowing direct access
to a server's raw clientlog (similar to the special info and trends columns). 
This can be disabled with a "noclient" tag in hosts.cfg

Additional sample protocols.cfg services are present, for svn, amqp(s) and
ircd. (Note that different ircd servers respond differently and the included
protocol conversation may require modification to work on your server.)


Changes for 4.3.19
==================
This is mostly a bugfix release (see the Changes file for a full list), 
but there are some enhancements:

Apache 2.4 syntax is now supported by the sample xymon.conf file.

EXTIME= syntax in analysis.cfg and alerts.cfg files is now supported.
Note that this exclusion is applied *after* any normal TIME= 
specifiers. (If a TIME= modifier is present, then times outside of
that range are already excluded.)

An Acknowledgements report CGI is now available, similar to 
the Notifications report. (Thanks, Andy Smith)

Client logs with multiple trigger lines found are guaranteed to have all
the sections returned, even if this exceeds the "maxbytes" specified (up to
the compiled-in limit). Additionally, the "current" location of new log 
data written since the last time xymonclient was run is now marked for 
reference. (Thanks, Franco Gasperino)

A new "deltacount" option is available in client-local.cfg. It functions
similarly to "linecount" for a given log: entry, but only counts matching 
lines written in the log file since the last run.

Additional filtration options are available for the xymondboard command,
including the full body of the message, and acknoweldgement and disable
comments. Also, inequalities can be used to filter an epoch timestamp
against any of: lastchange, logtime, validtime, acktime, or disabletime.
See the xymon(1) man page for details.

The process list visible in the 'procs' test of Linux and FreeBSD clients
is now generated in ASCII "forest" mode for increased legibility.


Changes for 4.3.18
==================
4.3.18 fixes a buffer overflow vulnerability in the acknowledge.cgi
script (CVE-2015-1430). All users are encouraged to upgrade.

Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.


In previous versions, the Xymon web CGI programs were run through
a shell-script wrapper, which took care of setting up the environment
for the Xymon programs. In light of the bash 'Shell shock' bug, this
is no longer the case. Instead, a binary 'cgiwrap' utility is used
to load the xymonserver.cfg and cgioptions.cfg files before invoking
the CGI programs. This means that the cgioptions.cfg file is no longer 
parsed as a shell script, so if you rely on this then it will no 
longer work. In that case you must replace the symlink(s) in 
xymon/cgi-bin/ with shell script wrappers which source the 
cgioptions.cfg file.


Changes for 4.3.15 - 4.3.17
===========================
No significant changes.


Changes for 4.3.14
==================
In previous Xymon versions, a client-only configuration (i.e. one
configured with "./configure --client") would place the client
files in a "client" subdirectory below the directory specified 
during configuration. This is the same directory layout as a server 
installation, where the server and client parts of Xymon are
in separate subdirectories.
In 4.3.14, the default has changed so a client-only installation
now installs in the directory given during the configure-step.
The "/client" has been eliminated, so if you are upgrading an
existing client you must either move the old client installation
one level up from the "client/" directory, or change the Makefile
generated by "configure --client" and add "/client" to the 
XYMONTOPDIR setting.

The SNI support added in 4.3.13 causes problems with some older
webservers, whose SSL implementation cannot handshake correctly
when SNI is used. The failed handshake causes Xymon to report
the site as down. In 4.3.14, the default is changed so SNI is
disabled. A new "--sni" option was added to xymonnet to control the
default setting, and two new tags "sni" and "nosni" can be used in 
hosts.cfg to control SNI for each host that is tested.


Changes for 4.3.13
==================
This is mostly a bugfix release. Apart from simple bugs (see
the Changes file), there are some enhancements:

Alerts sent via e-mail have <CR><NL> line-endings converted
to plain <NL>, since the carriage-return characters would
cause some mailers to send alerts as a (binary) attachment
to an empty mail message.

https-URL's can be forced to use TLS only, by using 
"httpst://..." similar to how SSLv2 and SSLv3 can be chosen.

SSL connections (e.g. for https URL's) now use the TLS 
"Server Name Indication" (SNI) if your OpenSSL library 
supports it. This allows testing of systems that have 
multiple SSL websites located on the same physical IP+port 
(i.e. virtual name-based hosts).


Changes for 4.3.12
==================
NOTE: This release includes a bugfix for a security issue
in the xymond_history and xymond_rrd modules. A "drophost"
command sent to the xymond port (default: 1984) from an IP
listed in the --admin-senders access control list can be
used to delete files owned by the user running the xymond 
daemon. This is allowed by default, so it is highly recommended
to install this update.


Changes for 4.3.2 - 4.3.11
==========================
See the Changes file for a list of significant changes.
These releases are mostly to fix bugs.

NOTE: Some configuration parameters have changed, so you must 
regenerate the top-level Makefile by running the "configure" 
script before compiling the new version.

The inode-check introduced in 4.3.8 and 4.3.10 requires
that you update both the Xymon server installation and the
Xymon client on the systems where you want to monitor how
many inodes are being used.


Changes for 4.3.1
==================
This is a SECURITY BUG FIX release, resolving a number of 
potential cross-site scripting vulnerabilities in the Xymon 
web interface.

Thanks to David Ferrest who reported these to me.


Changes for 4.3.0
==================
IMPORTANT: Most files and internals in Xymon have been renamed
with the 4.3.0-beta3 release. If you are upgrading from a
version prior to 4.3.0-beta3, you MUST read the file 
docs/upgrade-to-430.txt and make sure you follow the steps
outlined here. That also applies if you are upgrading from
4.3.0-beta2.

Xymon 4.3.0 is the first release with new features after 
the 4.2.0 release. Several large changes have been made
throughout the entire codebase. Some highlights (see
the Changes file for a longer list):

* Data going into graphs can now be used to alter a status,
  e.g. to trigger an alert from the response time of a network
  service.
* Tasks in xymonlaunch can be be configured to run at specific
  time of day using a cron-style syntax for when they must run.
* Worker modules (RRD, client-data parsers etc) can operate on
  remote hosts from the xymond daemon, for load-sharing.
* Support for defining holidays as non-working days in alerts and
  SLA calculations.
* Hosts which appear on multiple pages in the web display can
  use any page they are on in the alerting rules and elsewhere.
* Various new network tests: SOAP-over-HTTP, HTTP tests with
  session cookies, SSL minimum encryption strength test.
* New "compact" status display can group multiple statuses into
  one on the webpage display.
* Configurable periods for graphs on the trends page.
* RRD files can be configured to maintain more data and/or
  different data (e.g. MAX/MIN values)
* SLA calculations now include the number of outages in addition
  to the down-time.
* Solaris client now uses "swap -l" to determine swap-space
  usage, which gives very different results from the previous
  "swap -s" data. So your Solaris hosts will appear to change
  swap-utilisation when the Xymon client is upgraded.

TRACKMAX feature removed
------------------------
For users of the TRACKMAX feature present in 4.2.2 and
later 4.2.x releases: This feature has been dropped. Instead,
you should add a definition for the tests that you want to track
max-values for to the rrddefinitions.cfg file. E.g. to
track max-values for the "mytest" status column:

[mytest]
	RRA:MAX:0.5:1:576
	RRA:MAX:0.5:6:576
	RRA:MAX:0.5:24:576
	RRA:MAX:0.5:288:576


Changed behaviour of http testing via proxy
-------------------------------------------
The Big Brother behaviour of allowing you to specify an http 
(web) proxy as part of the URL in a test has been disabled
by default, since it interferes with URL's that contain
another URL as part of the URL path. If you need the Big Brother
behaviour, add "--bb-proxy-syntax" to your invocations of 
bbtest-net.

BBGHOSTS setting removed
------------------------
Setting BBGHOSTS in the xymonserver.cfg file no longer has any
effect. Instead, you must use the "--ghosts" option for hobbitd.
The default ghost handling has also been changed from "ignore"
to "log".

xymonproxy: Alert support for Big Brother servers removed
---------------------------------------------------------
The xymonproxy tool no longer supports forwarding "page"
messages. This means that if you are forwarding messages
from an old Big Brother client to a Big Brother server
that is sending out alerts, then these alerts will be
dropped. Status updates will be forwarded, only alerts
triggered from the Big Brother server are affected.

Webpage menu: New menu code
---------------------------
The Javascript-based menu code ("Tigra") has been replaced
with a menu based on CSS/HTML4. This means that any menu
customization will have to be manually transferred to the
new menu definition file, ~xymon/server/etc/xymonmenu.cfg.
The new menu-system is known NOT to work with Internet
Explorer 6 (IE 7 and newer are fine). If you must have a
menu system that works with the ancient browsers, then the
old Tigra menu can be downloaded from
http://xymon.svn.sourceforge.net/viewvc/xymon/sandbox/tigramenu/?view=tar
together with instructions for using it with Xymon 4.3.0.