[Xymon] Xymon 4.3.29 Released - Important Security Update

Mon Aug 5 19:54:29 CEST 2019

I looked at the source code of 4.3.29 for more instances where dashes in the hostname was not being accepted.  I found that the web/reportlog.c file also needed patched to allow dashes and underscores in hostnames and service names for the "Availability Report" feature.  Attached is the patch file for it as well.

Tom Schmidt
Sr Manager, IT, Product Engineering
IT ETD Eng Sites US
Micron Technology, Inc.
Office: +1 (208) 368-4058  Fax: (208)368-2807
Email: tschmidt at micron.com  Website: micron.com
Micron Technology, Inc., Confidential and Proprietary.

-----Original Message-----
From: Tom Schmidt (tschmidt) 
Sent: Monday, August 5, 2019 11:03 AM
To: Richard L. Hamilton <rlhamil2 at gmail.com>; xymon at xymon.com
Subject: RE: [EXT] Re: [Xymon] Xymon 4.3.29 Released - Important Security Update

I likewise see that history button issue for hostnames with dashes or underscores.  Attached is a context diff patch file to fix the issue.  Are there other alphanumerics in hostnames that should be added to line 608 of the web/history.c file?

Tom Schmidt
Sr Manager, IT, Product Engineering
IT ETD Eng Sites US
Micron Technology, Inc.
Office: +1 (208) 368-4058  Fax: (208)368-2807
Email: tschmidt at micron.com  Website: micron.com Micron Technology, Inc., Confidential and Proprietary.

-----Original Message-----
From: Xymon <xymon-bounces at xymon.com> On Behalf Of Richard L. Hamilton
Sent: Monday, August 5, 2019 10:53 AM
To: xymon at xymon.com
Subject: [EXT] Re: [Xymon] Xymon 4.3.29 Released - Important Security Update

Yes, I'm seeing the dash problem too.  Some of my VMs have dashes in the name (since they don't migrate, it makes it easier to remember which host they're on); most don't run all the time ("dialup" if you will), but one (actually a Solaris zone) does.  All the ones with dashes in the name get "Cannot open history file".  Please fix!!!

> On Aug 5, 2019, at 11:51, John Horne <john.horne at plymouth.ac.uk> wrote:
> 
> On Mon, 2019-08-05 at 07:52 -0700, Japheth Cleaver wrote:
>> On 8/5/2019 6:19 AM, Dirk Kastens wrote:
>>> Hi,
>>> 
>>> I just upgraded our xymon server on Scientific Linux release 6.10 
>>> frpm xymon 4.3.28 to 4.3.29.
>>> 
>>> Two things are not working any longer:
>>> 
>>> http authentication: I defined the login information in the file 
>>> /etc/xymon/netrc, which worked before the upgrade. Now the http test 
>>> are red with the message "Authorization Required".
>>> 
>>> history files cannot be opened any more. When I click on the history 
>>> button of a test, I get an empty page with the message "Cannot open 
>>> history file"
>> 
>> Thanks,
>> 
> ...
> 
>> 
>> For history file checking, can you verify that hosts with dashes in 
>> the name show this symptom while those with just alphanumerics (and
>> periods) don't? I believe this may actually be the bug cause here.
>> 
> Interesting. Can confirm that our clients without a hyphen/dash in the 
> name work fine with history. The hosts with a hyphen/dash do not - 
> they get a "Cannot open history file" error.
> 
> 
> 
> John.
> 
> --
> John Horne | Senior Operations Analyst | Technology and Information 
> Services University of Plymouth | Drake Circus | Plymouth | Devon |
> PL4 8AA | UK ________________________________ 
> [https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> plymouth.ac.uk%2Fimages%2Femail_footer.gif&data=02%7C01%7Ctschmidt
> %40micron.com%7Cad7b0f57ffe848cc8adf08d719c564d8%7Cf38a5ecd28134862b11
> bac1d563c806f%7C0%7C0%7C637006207919043258&sdata=PU9uQpCzE4ncJnmC9
> GDVRFV7n9silwy1FQP3IyCYMNk%3D&reserved=0]<https://nam01.safelinks.
> protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldcla
> ss&data=02%7C01%7Ctschmidt%40micron.com%7Cad7b0f57ffe848cc8adf08d7
> 19c564d8%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C0%7C6370062079190432
> 58&sdata=%2BkT7Ki%2FfHy2o96Tf2Z483xvGh2UUxEauM%2BJHcv5uK0k%3D&
> reserved=0>
> 
> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists
> .xymon.com%2Fmailman%2Flistinfo%2Fxymon&data=02%7C01%7Ctschmidt%40
> micron.com%7Cad7b0f57ffe848cc8adf08d719c564d8%7Cf38a5ecd28134862b11bac
> 1d563c806f%7C0%7C0%7C637006207919043258&sdata=0jIe1wKKWphh7%2FFhir
> dYAB8Z8A4Qwbr%2BKIKcOdV5kMA%3D&reserved=0

_______________________________________________
Xymon mailing list
Xymon at xymon.com
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.xymon.com%2Fmailman%2Flistinfo%2Fxymon&data=02%7C01%7Ctschmidt%40micron.com%7Cad7b0f57ffe848cc8adf08d719c564d8%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C0%7C637006207919043258&sdata=0jIe1wKKWphh7%2FFhirdYAB8Z8A4Qwbr%2BKIKcOdV5kMA%3D&reserved=0
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Patch-4.3.29_reportlog.txt
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190805/7346e808/attachment.txt>