Xymon 4.3.29 Released - Important Security Update
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Am 29.07.2019 um 19:41 schrieb Japheth Cleaver:
The Terabithia Xymon 4.3.29-1 packages have been updated in the production repositories and should be available for download at https://terabithia.org/rpms/xymon/
As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those repos have been moved to the /retired/ directory.
As EPEL8 has not yet been released, an fping package is available in the EL8 repository, as well as man2html (needed for rebuilds).
-- Viele Gruesse,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
On 8/5/2019 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Thanks,
For HTTP authentication, this is simple basic auth and not certificate-based or anything else?
For history file checking, can you verify that hosts with dashes in the name show this symptom while those with just alphanumerics (and periods) don't? I believe this may actually be the bug cause here.
-jc
Hi Japeth,
Am 05.08.2019 um 16:52 schrieb Japheth Cleaver:
For HTTP authentication, this is simple basic auth and not certificate-based or anything else?
Correct. My netrc file looks like this:
machine xymon.server login xymonuser password secret
Now, authentication only works if I use the url, like
https://xymonuser:secret at xymon.server
For history file checking, can you verify that hosts with dashes in the name show this symptom while those with just alphanumerics (and periods) don't? I believe this may actually be the bug cause here.
All of our hosts have dashes in their names, because our domainname contains a dash (uni-osnabrueck.de). I just found a host without a dash, and there the history page really works :-)
-- Viele Gruesse,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
On Mon, 2019-08-05 at 07:52 -0700, Japheth Cleaver wrote:
On 8/5/2019 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Thanks,
...
For history file checking, can you verify that hosts with dashes in the name show this symptom while those with just alphanumerics (and periods) don't? I believe this may actually be the bug cause here.
Interesting. Can confirm that our clients without a hyphen/dash in the name work fine with history. The hosts with a hyphen/dash do not - they get a "Cannot open history file" error.
John.
-- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
Yes, I'm seeing the dash problem too. Some of my VMs have dashes in the name (since they don't migrate, it makes it easier to remember which host they're on); most don't run all the time ("dialup" if you will), but one (actually a Solaris zone) does. All the ones with dashes in the name get "Cannot open history file". Please fix!!!
On Aug 5, 2019, at 11:51, John Horne <john.horne at plymouth.ac.uk> wrote:
On Mon, 2019-08-05 at 07:52 -0700, Japheth Cleaver wrote:
On 8/5/2019 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Thanks,
...
For history file checking, can you verify that hosts with dashes in the name show this symptom while those with just alphanumerics (and periods) don't? I believe this may actually be the bug cause here.
Interesting. Can confirm that our clients without a hyphen/dash in the name work fine with history. The hosts with a hyphen/dash do not - they get a "Cannot open history file" error.
John.
-- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
I likewise see that history button issue for hostnames with dashes or underscores. Attached is a context diff patch file to fix the issue. Are there other alphanumerics in hostnames that should be added to line 608 of the web/history.c file?
Tom Schmidt Sr Manager, IT, Product Engineering IT ETD Eng Sites US Micron Technology, Inc. Office:?+1 (208) 368-4058 ?Fax:?(208)368-2807 Email:?tschmidt at micron.com? Website:?micron.com Micron Technology, Inc., Confidential and Proprietary.
-----Original Message----- From: Xymon <xymon-bounces at xymon.com> On Behalf Of Richard L. Hamilton Sent: Monday, August 5, 2019 10:53 AM To: xymon at xymon.com Subject: [EXT] Re: [Xymon] Xymon 4.3.29 Released - Important Security Update
Yes, I'm seeing the dash problem too. Some of my VMs have dashes in the name (since they don't migrate, it makes it easier to remember which host they're on); most don't run all the time ("dialup" if you will), but one (actually a Solaris zone) does. All the ones with dashes in the name get "Cannot open history file". Please fix!!!
On Aug 5, 2019, at 11:51, John Horne <john.horne at plymouth.ac.uk> wrote:
On Mon, 2019-08-05 at 07:52 -0700, Japheth Cleaver wrote:
On 8/5/2019 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Thanks,
...
For history file checking, can you verify that hosts with dashes in the name show this symptom while those with just alphanumerics (and periods) don't? I believe this may actually be the bug cause here.
Interesting. Can confirm that our clients without a hyphen/dash in the name work fine with history. The hosts with a hyphen/dash do not - they get a "Cannot open history file" error.
John.
-- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww. plymouth.ac.uk%2Fimages%2Femail_footer.gif&data=02%7C01%7Ctschmidt %40micron.com%7Cad7b0f57ffe848cc8adf08d719c564d8%7Cf38a5ecd28134862b11 bac1d563c806f%7C0%7C0%7C637006207919043258&sdata=PU9uQpCzE4ncJnmC9 GDVRFV7n9silwy1FQP3IyCYMNk%3D&reserved=0]<https://nam01.safelinks. protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldcla ss&data=02%7C01%7Ctschmidt%40micron.com%7Cad7b0f57ffe848cc8adf08d7 19c564d8%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C0%7C6370062079190432 58&sdata=%2BkT7Ki%2FfHy2o96Tf2Z483xvGh2UUxEauM%2BJHcv5uK0k%3D& reserved=0>
This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
Xymon mailing list Xymon at xymon.com https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists .xymon.com%2Fmailman%2Flistinfo%2Fxymon&data=02%7C01%7Ctschmidt%40 micron.com%7Cad7b0f57ffe848cc8adf08d719c564d8%7Cf38a5ecd28134862b11bac 1d563c806f%7C0%7C0%7C637006207919043258&sdata=0jIe1wKKWphh7%2FFhir dYAB8Z8A4Qwbr%2BKIKcOdV5kMA%3D&reserved=0
Xymon mailing list Xymon at xymon.com https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.xymon.com%2Fmailman%2Flistinfo%2Fxymon&data=02%7C01%7Ctschmidt%40micron.com%7Cad7b0f57ffe848cc8adf08d719c564d8%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C0%7C637006207919043258&sdata=0jIe1wKKWphh7%2FFhirdYAB8Z8A4Qwbr%2BKIKcOdV5kMA%3D&reserved=0
I did the same thing and did it from source.
After removing the #pragma statements and adding libtirpc-devel to get it to compile, I found the https sites failed.? They do pass the sslcert test.
I just rolled back to 4.3.28
I'll figure it out later, after I figure out how the rollback screwed up the built in SNMP support that I so painfully got working and was still documenting.
sigh
On 8/5/19 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Am 29.07.2019 um 19:41 schrieb Japheth Cleaver:
The Terabithia Xymon 4.3.29-1 packages have been updated in the production repositories and should be available for download at https://terabithia.org/rpms/xymon/
As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those repos have been moved to the /retired/ directory.
As EPEL8 has not yet been released, an fping package is available in the EL8 repository, as well as man2html (needed for rebuilds).
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
I had a similar issue with the HTTPS test. I found specifying the Xymon server's IP during the configure script caused the problem. The OpenSSL info didn't show up on the xymonnet page. Rerunning configure, leaving 127.0.0.1 for the IP, rebuilding, and reinstalling fixed it.
I still had other issues so I reverted my test server back to 4.3.28 since I was leaving for vacation.
Running on Oracle Linux 6.x, used the patches available thru last Friday but don't recall if libtirpc-devel is installed.
On Fri, Aug 9, 2019, 12:15 AM Bruce Ferrell <bferrell at baywinds.org> wrote:
I did the same thing and did it from source.
After removing the #pragma statements and adding libtirpc-devel to get it to compile, I found the https sites failed. They do pass the sslcert test.
I just rolled back to 4.3.28
I'll figure it out later, after I figure out how the rollback screwed up the built in SNMP support that I so painfully got working and was still documenting.
sigh
On 8/5/19 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Am 29.07.2019 um 19:41 schrieb Japheth Cleaver:
The Terabithia Xymon 4.3.29-1 packages have been updated in the production repositories and should be available for download at https://terabithia.org/rpms/xymon/
As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those repos have been moved to the /retired/ directory.
As EPEL8 has not yet been released, an fping package is available in the EL8 repository, as well as man2html (needed for rebuilds).
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
I think I had to add login and password to the URL for an http test (to something that required those), where previously an entry in $HOME/server/etc/netrc sufficed. In other words, the behavior changed with the update.
On Aug 9, 2019, at 09:23, Robert Herron <robert.herron at gmail.com> wrote:
I had a similar issue with the HTTPS test. I found specifying the Xymon server's IP during the configure script caused the problem. The OpenSSL info didn't show up on the xymonnet page. Rerunning configure, leaving 127.0.0.1 for the IP, rebuilding, and reinstalling fixed it.
I still had other issues so I reverted my test server back to 4.3.28 since I was leaving for vacation.
Running on Oracle Linux 6.x, used the patches available thru last Friday but don't recall if libtirpc-devel is installed.
On Fri, Aug 9, 2019, 12:15 AM Bruce Ferrell <bferrell at baywinds.org <mailto:bferrell at baywinds.org>> wrote:
I did the same thing and did it from source.
After removing the #pragma statements and adding libtirpc-devel to get it to compile, I found the https sites failed. They do pass the sslcert test.
I just rolled back to 4.3.28
I'll figure it out later, after I figure out how the rollback screwed up the built in SNMP support that I so painfully got working and was still documenting.
sigh
On 8/5/19 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Am 29.07.2019 um 19:41 schrieb Japheth Cleaver:
The Terabithia Xymon 4.3.29-1 packages have been updated in the production repositories and should be available for download at https://terabithia.org/rpms/xymon/ <https://terabithia.org/rpms/xymon/>
As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those repos have been moved to the /retired/ directory.
As EPEL8 has not yet been released, an fping package is available in the EL8 repository, as well as man2html (needed for rebuilds).
Xymon mailing list Xymon at xymon.com <mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon <http://lists.xymon.com/mailman/listinfo/xymon>
Xymon mailing list Xymon at xymon.com <mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon <http://lists.xymon.com/mailman/listinfo/xymon>
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Richard: Can you provide the output of --debug on a xymonnet run off-list? This could be a parsing issue somewhere, but from glancing at the code I'm not sure where the logic might be diverging.
Robert:
So far I haven't been able to duplicate this one. Do you happen to have ./configure output in scrollback? While an IP that doesn't match hostname or isn't up *could* affect something, the compilation check for SSL support seems totally distinct. Were other SSL tests also failing? Alternatively, is there a chance the SSL versioning/cypher lockdown might be different on this endpoint?
-jc
On 8/9/2019 7:47 AM, Richard L. Hamilton wrote:
I think I had to add login and password to the URL for an http test (to something that required those), where previously an entry in $HOME/server/etc/netrc sufficed. ?In other words, the behavior changed with the update.
On Aug 9, 2019, at 09:23, Robert Herron <robert.herron at gmail.com <mailto:robert.herron at gmail.com>> wrote:
I had a similar issue with the HTTPS test. I found specifying the Xymon server's IP during the configure script caused the problem. The OpenSSL info didn't show up on the xymonnet page.? Rerunning configure, leaving 127.0.0.1 for the IP, rebuilding, and reinstalling fixed it.
I still had other issues so I reverted my test server back to 4.3.28 since I was leaving for vacation.
Running on Oracle Linux 6.x, used the patches available thru last Friday but don't recall if libtirpc-devel is installed.
On Fri, Aug 9, 2019, 12:15 AM Bruce Ferrell <bferrell at baywinds.org <mailto:bferrell at baywinds.org>> wrote:
I did the same thing and did it from source. After removing the #pragma statements and adding libtirpc-devel to get it to compile, I found the https sites failed.? They do pass the sslcert test. I just rolled back to 4.3.28 I'll figure it out later, after I figure out how the rollback screwed up the built in SNMP support that I so painfully got working and was still documenting. sigh On 8/5/19 6:19 AM, Dirk Kastens wrote: > Hi, > > I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29. > > Two things are not working any longer: > > http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization > Required". > > history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file" > > Am 29.07.2019 um 19:41 schrieb Japheth Cleaver: >> The Terabithia Xymon 4.3.29-1 packages have been updated in the production repositories and should be available for download at https://terabithia.org/rpms/xymon/ >> >> As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those repos have been moved to the /retired/ directory. >> >> As EPEL8 has not yet been released, an fping package is available in the EL8 repository, as well as man2html (needed for rebuilds). > >
JC
Just getting back in the office. I didn't have the scroll back log so I reran the configure, make, and install today with the real IP defined instead of 127.0.0.1 I cannot reproduce it so I guess I messed up something previously.
So, my apologies for the wild goose chase.
On Mon, Aug 12, 2019, 3:16 PM Japheth Cleaver <cleaver at terabithia.org> wrote:
Richard: Can you provide the output of --debug on a xymonnet run off-list? This could be a parsing issue somewhere, but from glancing at the code I'm not sure where the logic might be diverging.
Robert:
So far I haven't been able to duplicate this one. Do you happen to have ./configure output in scrollback? While an IP that doesn't match hostname or isn't up *could* affect something, the compilation check for SSL support seems totally distinct. Were other SSL tests also failing? Alternatively, is there a chance the SSL versioning/cypher lockdown might be different on this endpoint?
-jc
On 8/9/2019 7:47 AM, Richard L. Hamilton wrote:
I think I had to add login and password to the URL for an http test (to something that required those), where previously an entry in $HOME/server/etc/netrc sufficed. In other words, the behavior changed with the update.
On Aug 9, 2019, at 09:23, Robert Herron <robert.herron at gmail.com> wrote:
I had a similar issue with the HTTPS test. I found specifying the Xymon server's IP during the configure script caused the problem. The OpenSSL info didn't show up on the xymonnet page. Rerunning configure, leaving 127.0.0.1 for the IP, rebuilding, and reinstalling fixed it.
I still had other issues so I reverted my test server back to 4.3.28 since I was leaving for vacation.
Running on Oracle Linux 6.x, used the patches available thru last Friday but don't recall if libtirpc-devel is installed.
On Fri, Aug 9, 2019, 12:15 AM Bruce Ferrell <bferrell at baywinds.org> wrote:
I did the same thing and did it from source.
After removing the #pragma statements and adding libtirpc-devel to get it to compile, I found the https sites failed. They do pass the sslcert test.
I just rolled back to 4.3.28
I'll figure it out later, after I figure out how the rollback screwed up the built in SNMP support that I so painfully got working and was still documenting.
sigh
On 8/5/19 6:19 AM, Dirk Kastens wrote:
Hi,
I just upgraded our xymon server on Scientific Linux release 6.10 frpm xymon 4.3.28 to 4.3.29.
Two things are not working any longer:
http authentication: I defined the login information in the file /etc/xymon/netrc, which worked before the upgrade. Now the http test are red with the message "Authorization Required".
history files cannot be opened any more. When I click on the history button of a test, I get an empty page with the message "Cannot open history file"
Am 29.07.2019 um 19:41 schrieb Japheth Cleaver:
The Terabithia Xymon 4.3.29-1 packages have been updated in the production repositories and should be available for download at https://terabithia.org/rpms/xymon/
As a reminder, EL3 and EL4 and Fedora 18-27 have been retired -- those repos have been moved to the /retired/ directory.
As EPEL8 has not yet been released, an fping package is available in the EL8 repository, as well as man2html (needed for rebuilds).
participants (7)
-
bferrell@baywinds.org
-
cleaver@terabithia.org
-
dirk.kastens@uni-osnabrueck.de
-
john.horne@plymouth.ac.uk
-
rlhamil2@gmail.com
-
robert.herron@gmail.com
-
tschmidt@micron.com