--- check-mk-1.2.8p16.orig/debian/README.Debian +++ check-mk-1.2.8p16/debian/README.Debian @@ -0,0 +1,30 @@ +check-mk-livestatus +=================== + +To load the event broker add the following lines to your Icinga +configuration: + +broker_module=/usr/lib/check_mk/livestatus.o /var/lib/icinga/rw/live + +See http://mathias-kettner.de/checkmk_livestatus.html for more configuration +options. + + +logwatch +======== + +To install logwatch copy logwatch.cfg from +/usr/share/doc/check-mk-agent/examples to /etc/check_mk/ on your client. +See http://mathias-kettner.de/checkmk_logfiles.html for more information. + +On the server side you need multisite enabled to see the logs. If you also want +to acknowledge the alarms (recommended) put www-data into the nagios group + + +check-mk-config-icinga +====================== + +Check-MK's web frontend "Multisite" (package "check-mk-multisite") and the +server part of Check-MK ("check-mk-server") can only be used with Icinga. +Please install the "check-mk-config-icinga" package. + --- check-mk-1.2.8p16.orig/debian/README.source +++ check-mk-1.2.8p16/debian/README.source @@ -0,0 +1,44 @@ +dpatch +------ +We use dpatch for patch handling inside our nagios related packages. +Please see /usr/share/doc/dpatch/README.source.gz (if you have +installed dpatch) for documentation about dpatch. + +upstream vs debian install paths +-------------------------------- +This is a list of the differences between an upstream check_mk install +using setup.sh and what files and directories the debian packages +create. +Last reviewed 2015-08-21 by taggart@debian.org. + +upstream -> debian + +/etc/apache2/conf.d/zzz_check_mk.conf -> check-mk-config-* postinst creates + /etc/apache2/conf-available/check-mk-multisite.conf + +(no logwatch.cfg) -> + /etc/check_mk/logwatch.cfg provided by check-mk-agent-logwatch + +/usr/share/check_mk/agents/xinetd.conf -> /etc/xinetd.d/check_mk + +/etc/nagios/auth.serials -> not needed + +/usr/share/check_mk/modules/defaults -> provided by check-mk-config-* +/usr/share/check_mk/web/htdocs/defaults.py -> symlink to above, provided + by check-mk-config-* + +/usr/share/check_mk/check_mk_templates.cfg -> not needed +/etc/nagios/objects/check_mk_templates.cfg -> symlink to above, not needed + +/usr/share/check_mk/agents/ -> we just provide check_mk_agent/cmk/mk-job/mkp +/usr/share/check_mk/agents/plugins/ -> don't provide, see #796453 +/usr/share/check_mk/inventory/ -> don't provide, see #796455 + +/usr/share/doc/check_mk/ -> split up by package name +/usr/share/doc/check_mk/checks/ -> /usr/share/check_mk/checks-man in -doc + +/usr/share/check_mk/locale/ -> unneeded by default +/var/lib/check_mk/notify/ -> automatically created with the correct + ownership and permissions + +/etc/check_mk/multisite.mk -> /usr/share/doc/check-mk-multisite/examples/ --- check-mk-1.2.8p16.orig/debian/apache.icinga +++ check-mk-1.2.8p16/debian/apache.icinga @@ -0,0 +1,76 @@ +# Created by setup of check_mk version 1.2.6p12 +# This file will *not* be overwritten at the next setup +# of check_mk. You may edit it as needed. In order to get +# a new version, please delete it and re-run setup.sh. + +# Note for RedHat 5.3 users (and probably other version: +# this file must be loaded *after* python.conf, otherwise +# does not trigger! For that +# reason, it is installed as zzz_.... Sorry for the +# inconveniance. + + + Alias /check_mk /usr/share/check_mk/web/htdocs + + AddHandler mod_python .py + PythonHandler index + PythonDebug On + DirectoryIndex index.py + + #Handle apache 2.2 and 2.4 + = 2.3> + Require local + + + Order deny,allow + allow from all + + # Need Nagios authentification. Please edit the + # following: Set AuthName and AuthUserFile to the + # same value that you use for your Nagios configuration! + Order deny,allow + allow from all + AuthName "Icinga Access" + AuthType Basic + AuthUserFile /etc/icinga/htpasswd.users + require valid-user + + ErrorDocument 403 "

Authentication Problem

Either you've entered an invalid password or the authentication
configuration of your check_mk web pages is incorrect.

Please make sure that you've edited the file
/etc/apache2/conf.d/check_mk and made it use the same
authentication settings as your Nagios web pages.
Restart Apache afterwards." + ErrorDocument 500 "

Server or Configuration Problem

A Server problem occurred. You'll find details in the error log of Apache. One possible reason is, that the file /etc/icinga/htpasswd.users is missing. You can create that file with htpasswd or htpasswd2. A better solution might be to use your existing htpasswd file from your Nagios installation. Please edit /etc/apache2/conf.d/check_mk and change the path there. Restart Apache afterwards." +
+ ## WARNING: automation is part of multisite, more information at + ## http://mathias-kettner.com/checkmk_multisite_automation.html + ## It uses a shared secret rather than HTTP Auth for authentication and + ## and is potentially exposed to public networks so is disabled on Debian + ## by default. If you need this feature, be sure you understand the + ## security implications and take necessary precautions before turning it on. + ## Automation is done without HTTP Auth + # + # Order allow,deny + # Allow from all + # Satisfy any + # + + ## WARNING: like automation above, run_cron is part of multisite. + ## It does not use HTTP Auth, but is only exposed to localhost. Having + ## it enabled has less risk, but since it's part of multisite it is + ## also disabled by default on Debian. + ## Trigger cron jobs. This is done without authentication + # + # Order deny,allow + # Deny from all + # Allow from 127.0.0.1 + # Satisfy any + # + +
+ + + + + Alias /check_mk /usr/share/check_mk/web/htdocs + + Deny from all + ErrorDocument 403 "

Check_mk: Incomplete Apache2 Installation

You need mod_python in order to run the web interface of check_mk.
Please install mod_python and restart Apache." +
+
--- check-mk-1.2.8p16.orig/debian/changelog +++ check-mk-1.2.8p16/debian/changelog @@ -0,0 +1,213 @@ +check-mk (1.2.8p16-1ubuntu0.2) bionic-security; urgency=medium + + * SECURITY UPDATE: fix race condition vulnerability + - debian/patches/04_CVE-2017-14955.dpatch: fix race condition in userdb.py + - CVE-2017-14955 + * SECURITY UPDATE: fix XSS vulnerability + - debian/patches/05_CVE-2017-9781.dpatch: fix xss in index.py + - debian/patches/06_CVE-2021-36563.dpatch: fix xss in valuespec.py + - debian/patches/07_CVE-2021-40906.dpatch: fix xss in metrics.py + - debian/patches/08_CVE-2022-24565.dpatch: fix xss in valuespec.py + - CVE-2017-9781 + - CVE-2021-36563 + - CVE-2021-40906 + - CVE-2022-24565 + + -- Nishit Majithia Tue, 19 Jul 2022 19:26:18 +0530 + +check-mk (1.2.8p16-1ubuntu0.1) zesty; urgency=medium + + * Added patch to fix downtime.h's scheduled_downtime_struct (LP: #1372284) + + -- Haw Loeung Tue, 04 Apr 2017 17:17:00 -0700 + +check-mk (1.2.8p16-1) unstable; urgency=medium + + * new upstream release + * fix some lintian errors + * update policy version + * fix debian/watch + * update debhelper version + * clean up nagios support/references, thanks Bas Couwenberg! (Closes: #846848) + + -- Matt Taggart Thu, 26 Jan 2017 23:20:02 -0800 + +check-mk (1.2.8p14-1) unstable; urgency=low + + [ Bas Couwenberg ] + * Team upload. + * Update Vcs-* URLs to use HTTPS. + + [ Matt Taggart ] + * Imported Upstream version 1.2.8p14 + * upstream will now use coreutils timeout if available rather than waitmax + * xinetd.conf example moved, new xinetd_caching.conf + + -- Matt Taggart Tue, 24 Jan 2017 12:20:53 -0800 + +check-mk (1.2.6p12-1) unstable; urgency=medium + + [ Matt Taggart ] + * Imported Upstream version 1.2.6p12 + * fix multisite.d dir in postinst (Closes: #798344). + + -- Matt Taggart Thu, 24 Sep 2015 13:08:41 -0700 + +check-mk (1.2.6p7-1) unstable; urgency=low + + [ Matt Taggart ] + * Imported Upstream version 1.2.6p7 + * add myself to uploaders + * fix some lintian errors + * update version in defaults files (Closes: #792395). + * provide cmk and mkp utils. + * provide example multisite.mk config. + * ensure some needed directories are created. + * remove smartmontools depends until we properly fix the smart plugin. + * review difference between upstream and debian install paths and + document in README.source + + [ Bernhard Schmidt ] + * start providing mk-job + * fix -agent-logwatch depends + * -agent-logwatch is arch all + + -- Matt Taggart Fri, 21 Aug 2015 16:44:17 -0700 + +check-mk (1.2.6p5-1) unstable; urgency=medium + + [ Matt Taggart ] + * Imported Upstream version 1.2.6p5 + * migrate multisite conffile, fix logic to better detect different + cases (Closes: #732357) + * check-mk-server: clean up stuff in /var on purge (Closes: #788829). + * stop packaging all upsteam provided binaries (Closes: #790308). + + -- Matt Taggart Fri, 03 Jul 2015 15:15:53 -0700 + +check-mk (1.2.6p4-1) unstable; urgency=medium + + [ Thomas Bechtold ] + * New upstream release (Closes: #738987). + * debian/defaults.*: Use correct check-mk version. + * debian/control: + - Add myself to Uploaders field. + - Remove Sven Velt from Uploaders field (Closes: #739092). + + [ Ilya Rassadin ] + * New upstream release (Closes: #778380). + * debian/defaults.*: Use correct check-mk version. + * debian/control: Add myself to Uploaders field. + * debian/check-mk-server.install: Add path for flexible notifications + * debian/check-mk-server.postinst: Add path for flexible notifications + + [ Matt Taggart ] + * Confirmed that CVE-2014-2329, CVE-2014-2330, CVE-2014-2331, + CVE-2014-2332 are fixed in upstream as of 1.2.3i5 (Closes: #742689). + * New upstream release (Closes: #778380). + * upstream forgot to include waitmax.c in their "source" tarball, + provide it in the source package for now + * logwatch.cfg example changed location upstream, adjust + check_mk_agent_logwatch.{example,install} + * regenerate defaults.* starting with upstream versions generated by + setup.sh and then porting forward the debian specific changes. + * regenerate apache.* starting with upstream versions generated by + setup.sh and then porting forward the debian specific changes. + Disable multisite automation.py and run_cron.py services by default. + + -- Matt Taggart Wed, 10 Jun 2015 11:10:32 -0700 + +check-mk (1.2.2p3-1) unstable; urgency=low + + * New upstream release. + + -- Thomas Bechtold Thu, 05 Dec 2013 20:33:24 +0100 + +check-mk (1.2.2p2-1) unstable; urgency=low + + [ Thomas Bechtold ] + * New upstream release (Closes: #678396). + * Update defaults in debian/defaults.nagios3 and debian/defaults.icinga. + * Update debian/patches/02_wato-sudoers.dpatch. + * debian/check-mk-server.install: Remove usr/share/check_mk/pnp-rraconf. + * debian/check-mk-config-nagios3.install: Adjust path for + check_mk_templates.cfg. + * debian/check-mk-config-icinga.install: Adjust path for + check_mk_templates.cfg. + * debian/check-mk-multisite.install: Remove no longer available + etc/sudoers.d/check_mk_wato. + * [411c207] check-mk-server: Add debconf note about RRD update. + * [fd007c2] Handle apache 2.2 and apache2.4 + * [9038096] debconf msg only when upgrading from < 1.2.0 + + [ Alexander Wirt ] + * [1abe7cc] Bump standards version + + -- Alexander Wirt Fri, 13 Sep 2013 08:00:52 +0200 + +check-mk (1.1.12p7-1) unstable; urgency=low + + * [b088706] Add Recommends for snmp to server part + * [1708000] Imported Upstream version 1.1.12p7 + * [256e383] Recommends ethtool and smartmontools in check-mk-agent + (Closes: #649677) + * [5a4c4cc] Move manpages to -server and don't compress docs (Closes: #649676) + * [2f52423] Create /etc/check_mk/conf.d in multisite package (Closes: #649316) + * [c536571] Bump version for default files + * [688edf4] Fix usage of dpkg-maintscript-helper. + Thanks to Colin Watson for the patch (Closes: #659548) + * [98ce919] Call dh_* with -a or -i (Closes: #649162) + * [1107727] Add missing dh_ calls to binary-indep + * [b2f781c] Add missing -nagios3 preinst + + -- Alexander Wirt Thu, 05 Apr 2012 19:36:02 +0200 + +check-mk (1.1.12-1) unstable; urgency=low + + [ Bernd Zeimetz ] + * [791a318] Install necessary sudo permissions for WATO. + * [cb1f3c7] Fix lintian W: check-mk source: + brace-expansion-in-debhelper-config-file + * [b5562b4] Install /var/lib/check_mk/wato as required by wato. + * [571007f] /var/lib/check_mk/autochecks/ should be owned by nagios, too. + * [d6e7572] /var/lib/check_mk/precompiled should be owned by nagios:nagios. + * [5456d5c] Move check_mk nagios/icinga config files into check_mk subfolder. + * [bd0ea1d] Add a check-mk-doc package and configure defaults accordingly. + + [ Alexander Wirt ] + * [559e8b7] Migrate configuration files to /etc/icinga/objects/check_mk + * [d5bad65] Fix typo in control file + * [11edf6f] Migrate check-mk objects for nagios + * [a6b822f] Add missing debhelper tokens + * [fd14d37] Add missing set -e + * [28a25ee] config postinst should depend on adduser + * [6b67884] Fix permissions for wato dirs + * [ba084b0] Also include versions like 1.10p2 + * [6f0a194] Imported Upstream version 1.1.10p3 + * [869f2a0] Install logwatch.cfg to examples (Closes: #639255) + * [cdfef39] Make check-mk web dir sgid nagios + * [3b7f02e] Imported Upstream version 1.1.12 + + -- Alexander Wirt Fri, 11 Nov 2011 23:52:28 +0100 + +check-mk (1.1.10-2) unstable; urgency=low + + [ Christoph Berg ] + * [1163b0d] Add Vcs-* fields + + [ Alexander Wirt ] + * [84fc3f7] Fix installation path for objects and templates in + *nagios3* package. + Thanks to Richard James Salts for the patch (Closes: #634016) + * [7c1720c] Bump standards version (no changes) + * [66132ef] Add missing build targets to rules file + * [96b686b] Add README.source file + * [15fa444] Add README.Debian to all binary packages + + -- Alexander Wirt Thu, 11 Aug 2011 07:56:01 +0200 + +check-mk (1.1.10-1) unstable; urgency=low + + * Initial release + + -- Alexander Wirt Mon, 30 May 2011 21:48:51 +0200 --- check-mk-1.2.8p16.orig/debian/check-mk-agent-logwatch.examples +++ check-mk-1.2.8p16/debian/check-mk-agent-logwatch.examples @@ -0,0 +1,2 @@ +debian/tmp/usr/share/check_mk/agents/cfg_examples/logwatch.cfg + --- check-mk-1.2.8p16.orig/debian/check-mk-agent-logwatch.install +++ check-mk-1.2.8p16/debian/check-mk-agent-logwatch.install @@ -0,0 +1,3 @@ +usr/share/check_mk/agents/plugins/mk_logwatch usr/lib/check_mk_agent/plugins +usr/share/check_mk/agents/cfg_examples/logwatch.cfg /etc/check_mk + --- check-mk-1.2.8p16.orig/debian/check-mk-agent.dirs +++ check-mk-1.2.8p16/debian/check-mk-agent.dirs @@ -0,0 +1,6 @@ +usr/bin +etc/xinetd.d +usr/lib +usr/lib/check_mk_agent/plugins +usr/lib/check_mk_agent/local +usr/share/doc/check-mk-agent/examples --- check-mk-1.2.8p16.orig/debian/check-mk-agent.examples +++ check-mk-1.2.8p16/debian/check-mk-agent.examples @@ -0,0 +1 @@ +debian/tmp/usr/share/check_mk/agents/cfg_examples/xinetd_caching.conf --- check-mk-1.2.8p16.orig/debian/check-mk-agent.install +++ check-mk-1.2.8p16/debian/check-mk-agent.install @@ -0,0 +1 @@ +usr/share/check_mk/agents/mk-job usr/bin --- check-mk-1.2.8p16.orig/debian/check-mk-config-icinga.install +++ check-mk-1.2.8p16/debian/check-mk-config-icinga.install @@ -0,0 +1,2 @@ +usr/share/check_mk/check_mk_templates.cfg etc/icinga/objects/check_mk +etc/check_mk/multisite.mk --- check-mk-1.2.8p16.orig/debian/check-mk-config-icinga.links +++ check-mk-1.2.8p16/debian/check-mk-config-icinga.links @@ -0,0 +1,2 @@ +usr/share/check_mk/modules/defaults usr/share/check_mk/web/htdocs/defaults.py + --- check-mk-1.2.8p16.orig/debian/check-mk-config-icinga.postinst +++ check-mk-1.2.8p16/debian/check-mk-config-icinga.postinst @@ -0,0 +1,83 @@ +#!/bin/bash + +set -e + +# a little helper for getting permissions right +setperm() { + local user="$1" + local group="$2" + local mode="$3" + local file="$4" + shift 4 + # only do something when no setting exists + if ! dpkg-statoverride --list "$file" >/dev/null 2>&1; then + chown "$user":"$group" "$file" + chmod "$mode" "$file" + fi +} + +dpkg-maintscript-helper mv_conffile \ + /etc/icinga/objects/check_mk_templates.cfg \ + /etc/icinga/objects/check_mk/check_mk_templates.cfg \ + 1.1.10-2 -- "$@" + +# older releases (1.1.12p7-1 at least) delivered the multisite conffile to +# /etc/apache2/conf.d. If it exists we need to move it to conf-available +# once it's moved then the code below will setup the conf.d symlink. +# This code wasn't in place until 1.2.6p4-2, so we need to check everything +# before that. +dpkg-maintscript-helper mv_conffile \ + /etc/apache2/conf.d/check_mk_multisite.cfg \ + /etc/apache2/conf-available/check_mk_multisite.cfg \ + 1.2.6p4-2 -- "$@" + +if [ -e '/etc/icinga/objects/check_mk_objects.cfg' ]; +then + echo 'Migrate /etc/icinga/objects/check_mk_objects.cfg to /etc/icinga/objects/check_mk/check_mk_objects.cfg' + mv /etc/icinga/objects/check_mk_objects.cfg \ + /etc/icinga/objects/check_mk/check_mk_objects.cfg +fi + +case "$1" in + configure) + #make sure our nagios user exists + if ! getent passwd nagios > /dev/null ; then + echo 'Adding system-user for nagios' 1>&2 + adduser --system --group --home /var/lib/nagios \ + --disabled-login --force-badname nagios > /dev/null + fi + #fix permissions for some directorys + test -d /etc/icinga/objects/check_mk || mkdir -p /etc/icinga/objects/check_mk + setperm root nagios 0775 /etc/icinga/objects/check_mk + + #handle the apache2.2 -> apache2.4 upgrade (see https://wiki.debian.org/Apache/PackagingFor24) + CONF="check-mk-multisite" + COMMON_STATE=$(dpkg-query -f '${Status}' -W 'apache2.2-common' 2>/dev/null | awk '{print $3}' || true) + + if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then + . /usr/share/apache2/apache2-maintscript-helper + apache2_invoke enconf $CONF || exit $? + elif [ "$COMMON_STATE" = "installed" ] || [ "$COMMON_STATE" = "unpacked" ] ; then + if [ -d /etc/apache2/conf.d/ ]; then + if [ -L /etc/apache2/conf.d/$CONF.conf ]; then + # it's a symlink, all is well + true + elif [ -e /etc/apache2/conf.d/$CONF.conf ]; then + # it's not a symlink, but exists, error + echo "ERROR: /etc/apache2/conf.d/$CONF.conf is not a symlink, please investigate" 1>&2 + else + # we need to create the symlink + ln -s ../conf-available/$CONF.conf /etc/apache2/conf.d/$CONF.conf + fi + fi + fi + ;; + abort-upgrade|abort-remove|abort-deconfigure) + ;; + *) + echo "postinst called with unknown argument \$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# --- check-mk-1.2.8p16.orig/debian/check-mk-config-icinga.postrm +++ check-mk-1.2.8p16/debian/check-mk-config-icinga.postrm @@ -0,0 +1,33 @@ +#!/bin/sh + +set -e + +dpkg-maintscript-helper mv_conffile \ + /etc/icinga/objects/check_mk_templates.cfg \ + /etc/icinga/objects/check_mk/check_mk_templates.cfg \ + 1.1.10-2 -- "$@" + +# older releases (1.1.12p7-1 at least) delivered the multisite conffile to +# /etc/apache2/conf.d. If it exists we need to move it to conf-available +# once it's moved then the code below will setup the conf.d symlink. +# This code wasn't in place until 1.2.6p4-2, so we need to check everything +# before that. +dpkg-maintscript-helper mv_conffile \ + /etc/apache2/conf.d/check_mk_multisite.cfg \ + /etc/apache2/conf-available/check_mk_multisite.cfg \ + 1.2.6p4-2 -- "$@" + +if [ "$1" = "remove" ] || [ "$1" = "purge" ] ; then + CONF="check-mk-multisite" + COMMON_STATE=$(dpkg-query -f '${Status}' -W 'apache2.2-common' 2>/dev/null | awk '{print $3}' || true) + + if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then + . /usr/share/apache2/apache2-maintscript-helper + apache2_invoke disconf $CONF || exit $? + elif [ "$COMMON_STATE" = "installed" ] || [ "$COMMON_STATE" = "unpacked" ] ; then + [ -L /etc/apache2/conf.d/$CONF.conf ] && rm /etc/apache2/conf.d/$CONF.conf || true + fi +fi + +#DEBHELPER# + --- check-mk-1.2.8p16.orig/debian/check-mk-config-icinga.preinst +++ check-mk-1.2.8p16/debian/check-mk-config-icinga.preinst @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +dpkg-maintscript-helper mv_conffile \ + /etc/icinga/objects/check_mk_templates.cfg \ + /etc/icinga/objects/check_mk/check_mk_templates.cfg \ + 1.1.10-2 -- "$@" + +#DEBHELPER# + --- check-mk-1.2.8p16.orig/debian/check-mk-doc.install +++ check-mk-1.2.8p16/debian/check-mk-doc.install @@ -0,0 +1 @@ +usr/share/doc/check_mk/* usr/share/doc/check-mk-doc --- check-mk-1.2.8p16.orig/debian/check-mk-livestatus.install +++ check-mk-1.2.8p16/debian/check-mk-livestatus.install @@ -0,0 +1,2 @@ +usr/lib/check_mk/livestatus.o +usr/bin/unixcat --- check-mk-1.2.8p16.orig/debian/check-mk-multisite.dirs +++ check-mk-1.2.8p16/debian/check-mk-multisite.dirs @@ -0,0 +1,3 @@ +etc/check_mk +var/lib/check_mk +etc/check_mk/multisite.d --- check-mk-1.2.8p16.orig/debian/check-mk-multisite.examples +++ check-mk-1.2.8p16/debian/check-mk-multisite.examples @@ -0,0 +1 @@ +debian/tmp/etc/check_mk/multisite.mk --- check-mk-1.2.8p16.orig/debian/check-mk-multisite.install +++ check-mk-1.2.8p16/debian/check-mk-multisite.install @@ -0,0 +1,3 @@ +usr/share/check_mk/web +var/lib/check_mk/web +var/lib/check_mk/wato --- check-mk-1.2.8p16.orig/debian/check-mk-multisite.postinst +++ check-mk-1.2.8p16/debian/check-mk-multisite.postinst @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +. /usr/share/debconf/confmodule + +setperm() { + local user="$1" + local group="$2" + local mode="$3" + local file="$4" + shift 4 + # only do something when no setting exists + if ! dpkg-statoverride --list "$file" >/dev/null 2>&1; then + chown "$user":"$group" "$file" + chmod "$mode" "$file" + fi +} + +case "$1" in + configure) + # explicitly set permissions on some files + setperm www-data nagios 4770 /var/lib/check_mk/web + setperm www-data nagios 4770 /var/lib/check_mk/wato + setperm www-data nagios 4770 /etc/check_mk/multisite.d + ;; + abort-upgrade|abort-remove|abort-deconfigure) + ;; + *) + echo "postinst called with unknown argument \$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + --- check-mk-1.2.8p16.orig/debian/check-mk-server.config +++ check-mk-1.2.8p16/debian/check-mk-server.config @@ -0,0 +1,15 @@ +#!/bin/sh +set -e + +# config script is run with 2 parameters given (see man debconf-devel): +# 1. action being performed +# 2. version of the package that is currently installed + +# Source debconf library. +. /usr/share/debconf/confmodule + +# Message about rdd definiton changes +if [ "$#" -eq 2 ] && test -n "$2"; then + dpkg --compare-versions $2 lt 1.2.0 && db_input high check-mk-server/v1.2_upgrade_msg || true +fi +db_go || true --- check-mk-1.2.8p16.orig/debian/check-mk-server.dirs +++ check-mk-1.2.8p16/debian/check-mk-server.dirs @@ -0,0 +1,3 @@ +etc/check_mk/conf.d +var/lib/check_mk +var/lib/check_mk/log --- check-mk-1.2.8p16.orig/debian/check-mk-server.install +++ check-mk-1.2.8p16/debian/check-mk-server.install @@ -0,0 +1,14 @@ +etc/check_mk/main.mk +etc/check_mk/conf.d/README +var/lib/check_mk/autochecks +var/lib/check_mk/cache +var/lib/check_mk/counters +var/lib/check_mk/logwatch +var/lib/check_mk/packages +var/lib/check_mk/precompiled +usr/bin/check_mk +usr/share/check_mk/checks +usr/share/check_mk/checks-man +usr/share/check_mk/modules +usr/share/check_mk/pnp-templates +usr/share/check_mk/notifications --- check-mk-1.2.8p16.orig/debian/check-mk-server.links +++ check-mk-1.2.8p16/debian/check-mk-server.links @@ -0,0 +1 @@ +usr/bin/check_mk usr/bin/cmk --- check-mk-1.2.8p16.orig/debian/check-mk-server.postinst +++ check-mk-1.2.8p16/debian/check-mk-server.postinst @@ -0,0 +1,53 @@ +#!/bin/bash + +set -e + +# Source debconf library. +. /usr/share/debconf/confmodule +db_stop + +# a little helper for getting permissions right +setperm() { + local user="$1" + local group="$2" + local mode="$3" + local file="$4" + shift 4 + # only do something when no setting exists + if ! dpkg-statoverride --list "$file" >/dev/null 2>&1; then + chown "$user":"$group" "$file" + chmod "$mode" "$file" + fi +} + +case "$1" in + configure) + #make sure our nagios user exists + if ! getent passwd nagios > /dev/null ; then + echo 'Adding system-user for nagios' 1>&2 + adduser --system --group --home /var/lib/nagios \ + --disabled-login --force-badname nagios > /dev/null + fi + #fix permissions for some directorys + test -d /var/lib/check_mk/cache || mkdir -p /var/lib/check_mk/cache + setperm nagios nagios 0750 /var/lib/check_mk/cache + test -d /var/lib/check_mk/autochecks || mkdir -p /var/lib/check_mk/autochecks + setperm nagios nagios 0750 /var/lib/check_mk/autochecks + test -d /var/lib/check_mk/precompiled || mkdir -p /var/lib/check_mk/precompiled + setperm nagios nagios 0750 /var/lib/check_mk/precompiled + test -d /var/lib/check_mk/counters/ || mkdir -p /var/lib/check_mk/counters/ + setperm nagios nagios 0750 /var/lib/check_mk/counters/ + test -d /var/lib/check_mk/logwatch/ || mkdir -p /var/lib/check_mk/logwatch/ + setperm nagios www-data 0770 /var/lib/check_mk/logwatch/ + test -d /var/lib/check_mk/notify/ || mkdir -p /var/lib/check_mk/notify/ + setperm nagios www-data 0770 /var/lib/check_mk/notify/ + ;; + abort-upgrade|abort-remove|abort-deconfigure) + ;; + *) + echo "postinst called with unknown argument \$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# --- check-mk-1.2.8p16.orig/debian/check-mk-server.postrm +++ check-mk-1.2.8p16/debian/check-mk-server.postrm @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +# cleanup var dirs on +if [ "$1" = "purge" ] ; then + [ -e /var/lib/check_mk ] && rm -rf /var/lib/check_mk || true +fi + +#DEBHELPER# --- check-mk-1.2.8p16.orig/debian/check-mk-server.templates +++ check-mk-1.2.8p16/debian/check-mk-server.templates @@ -0,0 +1,8 @@ +Template: check-mk-server/v1.2_upgrade_msg +Type: note +_Description: Convert or delete RRD graphs + The tcp_conn_stats check now also counts sockets in the state BOUND. From that follows that the check now issues one more performance data value. + Those who do not use PNP in the "MULTIPLE" mode need either to delete or convert their RRD graphs of those checks. + Otherwise they won't be updated anymore. + . + For further information, please read the migration notes provided upstream: http://mathias-kettner.de/checkmk_migration_notes.html . --- check-mk-1.2.8p16.orig/debian/compat +++ check-mk-1.2.8p16/debian/compat @@ -0,0 +1 @@ +9 --- check-mk-1.2.8p16.orig/debian/control +++ check-mk-1.2.8p16/debian/control @@ -0,0 +1,119 @@ +Source: check-mk +Section: admin +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Nagios Maintainer Group +Uploaders: Alexander Wirt , + Jan Wagner , + Thomas Bechtold , + Ilya Rassadin , + Matt Taggart +Build-Depends: debhelper (>= 9), dpatch +Standards-Version: 3.9.8 +Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-check-mk.git +Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-check-mk.git + +Package: check-mk-agent +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Suggests: xinetd, python +Recommends: ethtool +Description: general purpose monitoring plugin for retrieving data + Check_mk adopts a new a approach for collecting data from operating systems + and network components. It obsoletes NRPE, check_by_ssh, NSClient and + check_snmp. It has many benefits, the most important of which are: + . + * Significant reduction of CPU usage on the monitoring host. + * Automatic inventory of items to be checked on hosts. + . + This package contains the agent part of check-mk. + +Package: check-mk-agent-logwatch +Architecture: all +Depends: ${shlibs:Depends}, ${misc:Depends}, check-mk-agent, python +Description: general purpose monitoring plugin for retrieving data + Check_mk adopts a new a approach for collecting data from operating systems + and network components. It obsoletes NRPE, check_by_ssh, NSClient and + check_snmp. It has many benefits, the most important of which are: + . + * Significant reduction of CPU usage on the monitoring host. + * Automatic inventory of items to be checked on hosts. + . + This package contains the logwatch plugin for the agent. + + +Package: check-mk-server +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, python, check-mk-config-icinga, debconf +Recommends: check-mk-doc, snmp +Description: general purpose monitoring plugin for retrieving data + Check_mk adopts a new a approach for collecting data from operating systems + and network components. It obsoletes NRPE, check_by_ssh, NSClient and + check_snmp. It has many benefits, the most important of which are: + . + * Significant reduction of CPU usage on the monitoring host. + * Automatic inventory of items to be checked on hosts. + . + This package contains the server part of check_mk + +Package: check-mk-config-icinga +Conflicts: check-mk-config-nagios3 +Architecture: any +Pre-Depends: dpkg (>= 1.15.7.2~) +Depends: ${shlibs:Depends}, ${misc:Depends}, adduser +Description: general purpose monitoring plugin for retrieving data + Check_mk adopts a new a approach for collecting data from operating systems + and network components. It obsoletes NRPE, check_by_ssh, NSClient and + check_snmp. It has many benefits, the most important of which are: + . + * Significant reduction of CPU usage on the Nagios host. + * Automatic inventory of items to be checked on hosts. + . + This package contains the icinga specific part of check_mk + +Package: check-mk-livestatus +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Suggests: xinetd +Conflicts: ucspi-unix +Recommends: check-mk-doc +Description: general purpose monitoring plugin for retrieving data + Check_mk adopts a new a approach for collecting data from operating systems + and network components. It obsoletes NRPE, check_by_ssh, NSClient and + check_snmp. It has many benefits, the most important of which are: + . + * Significant reduction of CPU usage on the Nagios host. + * Automatic inventory of items to be checked on hosts. + . + This package contains livestatus + +Package: check-mk-multisite +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libapache2-mod-python, check-mk-config-icinga +Recommends: sudo, check-mk-doc +Suggests: check-mk-livestatus +Description: general purpose monitoring plugin for retrieving data + Check_mk adopts a new a approach for collecting data from operating systems + and network components. It obsoletes NRPE, check_by_ssh, NSClient and + check_snmp. It has many benefits, the most important of which are: + . + * Significant reduction of CPU usage on the Nagios host. + * Automatic inventory of items to be checked on hosts. + . + This package contains the webfrontend of check_mk also known as + "MK-Multisite" + +Package: check-mk-doc +Architecture: all +Section: doc +Depends: ${misc:Depends} +Suggests: check-mk-livestatus, check-mk-server, check-mk-multisite +Description: general purpose monitoring plugin for retrieving data (documentation) + Check_mk adopts a new a approach for collecting data from operating systems + and network components. It obsoletes NRPE, check_by_ssh, NSClient and + check_snmp. It has many benefits, the most important of which are: + . + * Significant reduction of CPU usage on the Nagios host. + * Automatic inventory of items to be checked on hosts. + . + This package contains the check_mk documentation. --- check-mk-1.2.8p16.orig/debian/copyright +++ check-mk-1.2.8p16/debian/copyright @@ -0,0 +1,22 @@ +This package was debianized by Alexander Wirt +and Sven Velt . + +It was downloaded from http://mathias-kettner.de/check_mk_download.html + +Current Debian Maintainers: The nagios packaging packaging team + http://alioth.debian.org/projects/pkg-nagios/ + +Mailing-List: pkg-nagios-devel@lists.alioth.debian.org + +Upstream Author: Mathias Kettner + +Copyright (c) 2009-2010 Mathias Kettner + +License: + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License version 2 as +published by the Free Software Foundation. + +On Debian systems, the complete text of the GNU General Public +License, version 2, can be found in /usr/share/common-licenses/GPL-2. --- check-mk-1.2.8p16.orig/debian/defaults.icinga +++ check-mk-1.2.8p16/debian/defaults.icinga @@ -0,0 +1,54 @@ +# This file has been created during setup of check_mk at Thu Sep 24 12:57:08 PDT 2015. +# Do not edit this file. Also do not try to override these settings +# in main.mk since some of them are hardcoded into several files +# during setup. +# +# If you need to change these settings, you have to re-run setup.sh +# and enter new values when asked, or edit ~/.check_mk_setup.conf and +# run ./setup.sh --yes. + +check_mk_version = '1.2.6p12' +default_config_dir = '/etc/check_mk' +check_mk_configdir = '/etc/check_mk/conf.d' +share_dir = '/usr/share/check_mk' +checks_dir = '/usr/share/check_mk/checks' +notifications_dir = '/usr/share/check_mk/notifications' +inventory_dir = '/usr/share/check_mk/inventory' +check_manpages_dir = '/usr/share/check_mk/checks-man' +modules_dir = '/usr/share/check_mk/modules' +locale_dir = '/usr/share/check_mk/locale' +agents_dir = '/usr/share/check_mk/agents' +lib_dir = '/usr/lib/check_mk' +var_dir = '/var/lib/check_mk' +log_dir = '/var/lib/check_mk/log' +snmpwalks_dir = '/var/lib/check_mk/snmpwalks' +autochecksdir = '/var/lib/check_mk/autochecks' +precompiled_hostchecks_dir = '/var/lib/check_mk/precompiled' +counters_directory = '/var/lib/check_mk/counters' +tcp_cache_dir = '/var/lib/check_mk/cache' +tmp_dir = '/var/lib/check_mk/tmp' +logwatch_dir = '/var/lib/check_mk/logwatch' +nagios_objects_file = '/etc/icinga/objects/check_mk/check_mk_objects.cfg' +rrd_path = '/var/lib/nagios/rrd' +rrddcached_socket = '/tmp/rrdcached.sock' +nagios_command_pipe_path = '/var/lib/icinga/rw/icinga.cmd' +check_result_path = '/var/lib/icinga/spool/checkresults' +nagios_status_file = '/var/lib/icinga/status.dat' +nagios_conf_dir = '/etc/icinga/objects/check_mk' +nagios_user = 'nagios' +logwatch_notes_url = '/check_mk/logwatch.py?host=%s&file=%s' +www_group = 'nagios' +nagios_config_file = '/etc/icinga/icinga.cfg' +nagios_startscript = '/etc/init.d/icinga' +nagios_binary = '/usr/sbin/icinga' +apache_config_dir = '/etc/apache2/conf.d' +htpasswd_file = '/etc/icinga/htpasswd.users' +nagios_auth_name = 'Nagios Access' +web_dir = '/usr/share/check_mk/web' +livestatus_unix_socket = '/var/lib/icinga/rw/live' +livebackendsdir = '/usr/share/check_mk/livestatus' +url_prefix = '/' +pnp_url = '/pnp4nagios/' +pnp_templates_dir = '/usr/share/check_mk/pnp-templates' +doc_dir = '/usr/share/doc/check-mk-doc' +check_mk_automation = 'sudo -u nagios /usr/bin/check_mk --automation' --- check-mk-1.2.8p16.orig/debian/patches/00list +++ check-mk-1.2.8p16/debian/patches/00list @@ -0,0 +1,8 @@ +01_fix_livestatus +02_wato-sudoers +03_fix_livestatus_downtime +04_CVE-2017-14955 +05_CVE-2017-9781 +06_CVE-2021-36563 +07_CVE-2021-40906 +08_CVE-2022-24565 --- check-mk-1.2.8p16.orig/debian/patches/01_fix_livestatus.dpatch +++ check-mk-1.2.8p16/debian/patches/01_fix_livestatus.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 01_fix_livestatus.dpatch by Alexander Wirt +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pkg-check_mk~/setup.sh pkg-check_mk/setup.sh +--- pkg-check_mk~/setup.sh 2011-05-28 13:21:38.000000000 +0200 ++++ pkg-check_mk/setup.sh 2011-05-28 13:22:09.662237441 +0200 +@@ -535,6 +535,8 @@ + rm -rf $D + mkdir -p $D + tar xvzf $SRCDIR/livestatus.tar.gz -C $D ++ sed -i '/Boston/ a\ ++#include ' livestatus.src/src/TableStatus.cc livestatus.src/src/TableLog.cc + pushd $D + ./configure --libdir=$libdir --bindir=$bindir && + make clean && --- check-mk-1.2.8p16.orig/debian/patches/02_wato-sudoers.dpatch +++ check-mk-1.2.8p16/debian/patches/02_wato-sudoers.dpatch @@ -0,0 +1,44 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## wato-sudoers-location.dpatch by Bernd Zeimetz +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Install WATO sudoers line into /etc/sudoers.d/check_mk_WATO + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pkg-check-mk~/setup.sh pkg-check-mk/setup.sh +--- pkg-check-mk~/setup.sh 2013-08-07 11:44:12.000000000 +0200 ++++ pkg-check-mk/setup.sh 2013-08-07 11:47:40.344748346 +0200 +@@ -718,28 +718,11 @@ + return + fi + +- sudolines="Defaults:$wwwuser !requiretty\n$wwwuser ALL = (root) NOPASSWD: $bindir/check_mk --automation *" +- +- if [ ! -e /etc/sudoers ] ; then +- echo "You do not have sudo installed. Please install sudo " +- echo "and add the following line to /etc/sudoers if you want" +- echo "to use WATO - the Check_MK Web Administration Tool" +- echo +- echo -e "$sudolines" +- echo +- echo +- return +- fi +- +- if fgrep -q 'check_mk --automation' /etc/sudoers 2>/dev/null +- then +- # already present. Do not touch. +- return +- fi +- +- echo >> /etc/sudoers +- echo "# Needed for WATO - the Check_MK Web Administration Tool" >> /etc/sudoers +- echo -e "$sudolines" >> /etc/sudoers ++ sudolines="Defaults:$wwwuser !requiretty\n$wwwuser ALL = (nagios) NOPASSWD: $bindir/check_mk --automation *" ++ mkdir -p $DESTDIR/etc/sudoers.d ++ echo >> $DESTDIR/etc/sudoers.d/check_mk_wato ++ echo "# Needed for WATO - the Check_MK Web Administration Tool" >> $DESTDIR/etc/sudoers.d/check_mk_wato ++ echo -e "$sudolines" >> $DESTDIR/etc/sudoers.d/check_mk_wato + } + + while true --- check-mk-1.2.8p16.orig/debian/patches/03_fix_livestatus_downtime.dpatch +++ check-mk-1.2.8p16/debian/patches/03_fix_livestatus_downtime.dpatch @@ -0,0 +1,23 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_fix_livestatus_downtime.dpatch by Haw Loeung +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix livestatus scheduled_downtime_struct - LP:1372284 + +@DPATCH@ + +--- pkg-check_mk/setup.sh 2017-02-17 16:22:29.871869640 +1100 ++++ pkg-check_mk/setup.sh 2017-02-17 16:30:22.019025547 +1100 +@@ -569,6 +569,12 @@ compile_livestatus () + tar xvzf $SRCDIR/livestatus.tar.gz -C $D + sed -i '/Boston/ a\ + #include ' livestatus.src/src/TableStatus.cc livestatus.src/src/TableLog.cc ++ sed -i '/time_t start_time;/ a\ ++ time_t flex_downtime_start;' livestatus.src/nagios/downtime.h ++ sed -i '/int is_in_effect;/d' livestatus.src/nagios/downtime.h ++ sed -i '/unsigned long downtime_id;/ a\ ++ int is_in_effect;; \ ++ int start_notification_sent;' livestatus.src/nagios/downtime.h + pushd $D + + local CONFIGURE_OPTS="" --- check-mk-1.2.8p16.orig/debian/patches/04_CVE-2017-14955.dpatch +++ check-mk-1.2.8p16/debian/patches/04_CVE-2017-14955.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_CVE-2017-14955.dpatch by Nishit Majithia +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2017-14955 +# Description: Fix for CVE-2017-14955 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/5ac2dd84a1ae62140191fc0f5508b29b2631b74d + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' check-mk-1.2.8p16~/setup.sh check-mk-1.2.8p16/setup.sh +--- check-mk-1.2.8p16~/setup.sh 2022-07-19 14:35:34.000000000 +0530 ++++ check-mk-1.2.8p16/setup.sh 2022-07-19 14:36:43.877864274 +0530 +@@ -817,6 +817,7 @@ + mkdir -p $DESTDIR$web_dir && + tar xzf $SRCDIR/web.tar.gz -C $DESTDIR$web_dir && + cp $DESTDIR$modulesdir/defaults $DESTDIR$web_dir/htdocs/defaults.py && ++ patch -p0 < $SRCDIR/debian/patches/CVE-2017-14955.patch && + mkdir -p $DESTDIR$pnptemplates && + tar xzf $SRCDIR/pnp-templates.tar.gz -C $DESTDIR$pnptemplates && + mkdir -p $DESTDIR$modulesdir && --- check-mk-1.2.8p16.orig/debian/patches/05_CVE-2017-9781.dpatch +++ check-mk-1.2.8p16/debian/patches/05_CVE-2017-9781.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 05_CVE-2017-9781.dpatch by Nishit Majithia +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2017-9781 +# Description: Fix for CVE-2017-9781 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/444b30ccd955467da7a88a5321fc54b042500292 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' check-mk-1.2.8p16~/setup.sh check-mk-1.2.8p16/setup.sh +--- check-mk-1.2.8p16~/setup.sh 2022-07-19 14:41:11.000000000 +0530 ++++ check-mk-1.2.8p16/setup.sh 2022-07-19 14:41:18.936693732 +0530 +@@ -809,6 +809,7 @@ + tar xzf $SRCDIR/web.tar.gz -C $DESTDIR$web_dir && + cp $DESTDIR$modulesdir/defaults $DESTDIR$web_dir/htdocs/defaults.py && + patch -p0 < $SRCDIR/debian/patches/CVE-2017-14955.patch && ++ patch -p0 < $SRCDIR/debian/patches/CVE-2017-9781.patch && + mkdir -p $DESTDIR$pnptemplates && + tar xzf $SRCDIR/pnp-templates.tar.gz -C $DESTDIR$pnptemplates && + mkdir -p $DESTDIR$modulesdir && --- check-mk-1.2.8p16.orig/debian/patches/06_CVE-2021-36563.dpatch +++ check-mk-1.2.8p16/debian/patches/06_CVE-2021-36563.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 06_CVE-2021-36563.dpatch by Nishit Majithia +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2021-36563 +# Description: Fix for CVE-2021-36563 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/821f99e7ca3dcb41131df25023390a71ef31ad1b + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' check-mk-1.2.8p16~/setup.sh check-mk-1.2.8p16/setup.sh +--- check-mk-1.2.8p16~/setup.sh 2022-07-19 14:44:58.000000000 +0530 ++++ check-mk-1.2.8p16/setup.sh 2022-07-19 14:45:08.936567548 +0530 +@@ -810,6 +810,7 @@ + cp $DESTDIR$modulesdir/defaults $DESTDIR$web_dir/htdocs/defaults.py && + patch -p0 < $SRCDIR/debian/patches/CVE-2017-14955.patch && + patch -p0 < $SRCDIR/debian/patches/CVE-2017-9781.patch && ++ patch -p0 < $SRCDIR/debian/patches/CVE-2021-36563.patch && + mkdir -p $DESTDIR$pnptemplates && + tar xzf $SRCDIR/pnp-templates.tar.gz -C $DESTDIR$pnptemplates && + mkdir -p $DESTDIR$modulesdir && --- check-mk-1.2.8p16.orig/debian/patches/07_CVE-2021-40906.dpatch +++ check-mk-1.2.8p16/debian/patches/07_CVE-2021-40906.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 07_CVE-2021-40906.dpatch by Nishit Majithia +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2021-40906 +# Description: Fix for CVE-2021-40906 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/6b89403e47b541f96ac2b2c5953360a039a1fc71 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' check-mk-1.2.8p16~/setup.sh check-mk-1.2.8p16/setup.sh +--- check-mk-1.2.8p16~/setup.sh 2022-07-19 14:46:39.000000000 +0530 ++++ check-mk-1.2.8p16/setup.sh 2022-07-19 14:46:51.055962467 +0530 +@@ -811,6 +811,7 @@ + patch -p0 < $SRCDIR/debian/patches/CVE-2017-14955.patch && + patch -p0 < $SRCDIR/debian/patches/CVE-2017-9781.patch && + patch -p0 < $SRCDIR/debian/patches/CVE-2021-36563.patch && ++ patch -p0 < $SRCDIR/debian/patches/CVE-2021-40906.patch && + mkdir -p $DESTDIR$pnptemplates && + tar xzf $SRCDIR/pnp-templates.tar.gz -C $DESTDIR$pnptemplates && + mkdir -p $DESTDIR$modulesdir && --- check-mk-1.2.8p16.orig/debian/patches/08_CVE-2022-24565.dpatch +++ check-mk-1.2.8p16/debian/patches/08_CVE-2022-24565.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_CVE-2022-24565.dpatch by Nishit Majithia +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2022-24565 +# Description: Fix for CVE-2022-24565 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/b8d7b671786cb3261d3721aae39e77e69debd1a5 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' check-mk-1.2.8p16~/setup.sh check-mk-1.2.8p16/setup.sh +--- check-mk-1.2.8p16~/setup.sh 2022-07-19 14:48:10.000000000 +0530 ++++ check-mk-1.2.8p16/setup.sh 2022-07-19 14:48:23.704149531 +0530 +@@ -812,6 +812,7 @@ + patch -p0 < $SRCDIR/debian/patches/CVE-2017-9781.patch && + patch -p0 < $SRCDIR/debian/patches/CVE-2021-36563.patch && + patch -p0 < $SRCDIR/debian/patches/CVE-2021-40906.patch && ++ patch -p0 < $SRCDIR/debian/patches/CVE-2022-24565.patch && + mkdir -p $DESTDIR$pnptemplates && + tar xzf $SRCDIR/pnp-templates.tar.gz -C $DESTDIR$pnptemplates && + mkdir -p $DESTDIR$modulesdir && --- check-mk-1.2.8p16.orig/debian/patches/CVE-2017-14955.patch +++ check-mk-1.2.8p16/debian/patches/CVE-2017-14955.patch @@ -0,0 +1,21 @@ +# Description: Fix for CVE-2017-14955 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/5ac2dd84a1ae62140191fc0f5508b29b2631b74d +--- debian/tmp/usr/share/check_mk/web/htdocs/userdb.py ++++ debian/tmp/usr/share/check_mk/web/htdocs/userdb.py +@@ -570,7 +570,6 @@ def save_users(profiles): + out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n") + out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts)) + out.close() +- os.rename(filename, filename[:-4]) + + # Users with passwords for Multisite + filename = multisite_dir + "users.mk.new" +@@ -648,6 +647,7 @@ def save_users(profiles): + # Release the lock to make other threads access possible again asap + # This lock is set by load_users() only in the case something is expected + # to be written (like during user syncs, wato, ...) ++ os.rename(root_dir + "contacts.mk.new", root_dir + "contacts.mk") + release_lock(root_dir + "contacts.mk") + + # populate the users cache --- check-mk-1.2.8p16.orig/debian/patches/CVE-2017-9781.patch +++ check-mk-1.2.8p16/debian/patches/CVE-2017-9781.patch @@ -0,0 +1,32 @@ +# Description: Fix for CVE-2017-9781 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/444b30ccd955467da7a88a5321fc54b042500292 +--- debian/tmp/usr/share/check_mk/web/htdocs/index.py ++++ debian/tmp/usr/share/check_mk/web/htdocs/index.py +@@ -63,7 +63,7 @@ def handler(req, fields = None, is_profiling = False): + try: + handler() + except Exception, e: +- html.write("%s" % e) ++ html.write(html.attrencode("%s" % e)) + if config.debug: + html.write(html.attrencode(format_exception())) + raise FinalizeRequest() +@@ -152,6 +152,7 @@ def handler(req, fields = None, is_profiling = False): + plain_title = e.plain_title + + if plain_error(): ++ html.set_output_format("text") + html.write("%s: %s\n" % (plain_title, e)) + elif not fail_silently(): + html.header(title) +@@ -182,7 +183,8 @@ def handler(req, fields = None, is_profiling = False): + msg = msg.encode('utf-8') + logger(LOG_ERR, msg) + if plain_error(): +- html.write(_("Internal error") + ": %s\n" % html.attrencode(e)) ++ html.set_output_format("text") ++ html.write(_("Internal error") + ": %s\n" % e) + elif not fail_silently(): + modules.get_handler("gui_crash")() + response_code = apache.OK --- check-mk-1.2.8p16.orig/debian/patches/CVE-2021-36563.patch +++ check-mk-1.2.8p16/debian/patches/CVE-2021-36563.patch @@ -0,0 +1,14 @@ +# Description: Fix for CVE-2021-36563 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/821f99e7ca3dcb41131df25023390a71ef31ad1b +--- debian/tmp/usr/share/check_mk/web/htdocs/valuespec.py ++++ debian/tmp/usr/share/check_mk/web/htdocs/valuespec.py +@@ -141,7 +141,7 @@ class FixedValue(ValueSpec): + return self._value + + def render_input(self, varprefix, value): +- html.write(self.value_to_text(value)) ++ html.write_text(self.value_to_text(value)) + + def value_to_text(self, value): + if self._totext != None: --- check-mk-1.2.8p16.orig/debian/patches/CVE-2021-40906.patch +++ check-mk-1.2.8p16/debian/patches/CVE-2021-40906.patch @@ -0,0 +1,13 @@ +# Description: Fix for CVE-2021-40906 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/6b89403e47b541f96ac2b2c5953360a039a1fc71 +--- debian/tmp/usr/share/check_mk/web/htdocs/metrics.py ++++ debian/tmp/usr/share/check_mk/web/htdocs/metrics.py +@@ -1050,6 +1050,7 @@ def get_graph_range(graph_template, translated_metrics): + # "check_mk-kernel.util:guest,steal,system,user,wait". + def page_pnp_template(): + try: ++ html.set_output_format("text") + template_id = html.var("id") + + check_command, perf_var_string = template_id.split(":", 1) --- check-mk-1.2.8p16.orig/debian/patches/CVE-2022-24565.patch +++ check-mk-1.2.8p16/debian/patches/CVE-2022-24565.patch @@ -0,0 +1,14 @@ +# Description: Fix for CVE-2022-24565 +# Author: Nishit Majithia +# Origin: backport, https://github.com/tribe29/checkmk/commit/b8d7b671786cb3261d3721aae39e77e69debd1a5 +--- debian/tmp/usr/share/check_mk/web/htdocs/valuespec.py ++++ debian/tmp/usr/share/check_mk/web/htdocs/valuespec.py +@@ -1623,7 +1623,7 @@ class ListChoice(ValueSpec): + d = dict(self._elements) + texts = [ self._render_function(v, d.get(v,v)) for v in value ] + if self._render_orientation == "horizontal": +- return ", ".join(texts) ++ return ", ".join(html.escaper.escape_text(t) for t in texts) + else: + return "
" + "
".join(texts) + "
" + --- check-mk-1.2.8p16.orig/debian/po/POTFILES.in +++ check-mk-1.2.8p16/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] templates --- check-mk-1.2.8p16.orig/debian/rules +++ check-mk-1.2.8p16/debian/rules @@ -0,0 +1,173 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + + + + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + mkdir agents + tar -xzf agents.tar.gz -C agents + mkdir docs + tar -xzf doc.tar.gz -C docs + mkdir config + tar -xzf conf.tar.gz -C config + + touch configure-stamp + + +build: build-arch build-indep +build-arch: build-stamp +build-indep: build-stamp + +build-stamp: patch-stamp configure-stamp + dh_testdir + + # Add here commands to compile the package. + #cd agents ; $(MAKE) + #docbook-to-man debian/check-mk.sgml > check-mk.1 + + touch $@ + +clean: clean-patched unpatch +clean-patched: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + rm -rf agents docs config livestatus.src livestatus.log + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_prep + dh_installdirs + dh_installdebconf + mkdir -p debian/tmp + DESTDIR=debian/tmp ./setup.sh --yes + ## clean up binaries shipped by upstream + # upstream agent deb and rpm + rm -rf debian/tmp/usr/share/check_mk/agent/check-mk-agent*.deb + rm -rf debian/tmp/usr/share/check_mk/agent/check-mk-agent*.rpm + # java jar and classes (we don't rebuild these, help if you want them) + rm -rf debian/tmp/usr/share/doc/check_mk/jasperreports + # Windows binaries (we don't rebuild these, help if you want them) + rm -rf debian/tmp/usr/share/check_mk/agents/windows + rm -rf debian/tmp/usr/share/doc/check_mk/treasures/windows_msi + # fsc-celsius 'treasure' tarball that includes binaries + rm -rf debian/tmp/usr/share/doc/check_mk/treasures/fsc-celsius* + # agent_modbus + rm debian/tmp/usr/share/doc/check_mk/treasures/modbus/agent_modbus + # remove waitmax binary, check_mk will use timeout if available + rm debian/tmp/usr/share/check_mk/agents/waitmax + rm debian/tmp/usr/share/check_mk/agents/z_os/waitmax + cp -a livestatus.src/debian/tmp/* debian/tmp/ + ## config files + # We need 2 different "defaults" files for Icinga and Nagios3 + rm debian/tmp/usr/share/check_mk/modules/defaults + rm debian/tmp/usr/share/check_mk/web/htdocs/defaults.py + mkdir -p debian/check-mk-config-icinga/usr/share/check_mk/modules/ + cp debian/defaults.icinga debian/check-mk-config-icinga/usr/share/check_mk/modules/defaults + # We need 2 different Apache configs + mkdir -p debian/check-mk-config-icinga/etc/apache2/conf-available/ + cp debian/apache.icinga debian/check-mk-config-icinga/etc/apache2/conf-available/check-mk-multisite.conf + # Adjust path names + # sed -i 's#/nagios/cgi-bin/#/cgi-bin/icinga/#' debian/tmp/check-mk-config-icinga/etc/icinga/objects/check_mk_templates.cfg + # Prepare agent files + cp debian/tmp/usr/share/check_mk/agents/check_mk_agent.linux debian/check-mk-agent/usr/bin/check_mk_agent + chmod +x debian/check-mk-agent/usr/bin/check_mk_agent + # mkp wrapper script + mkdir -p debian/check-mk-server/usr/bin + cp debian/tmp/usr/bin/mkp debian/check-mk-server/usr/bin/ + chmod +x debian/check-mk-server/usr/bin/mkp + # xinetd: provide config, but disabled by default + cp debian/tmp/usr/share/check_mk/agents/cfg_examples/xinetd.conf debian/check-mk-agent/etc/xinetd.d/check_mk + sed -i 's#disable\s*=\s*no#disable = yes#' debian/check-mk-agent/etc/xinetd.d/check_mk + # move checks manpages (to be installed in -server) + mv debian/tmp/usr/share/doc/check_mk/checks debian/tmp/usr/share/check_mk/checks-man + # remove installed ChangeLog to avoid duplicate + rm debian/tmp/usr/share/doc/check_mk/ChangeLog + # remove installed COPYING, redundant + rm debian/tmp/usr/share/doc/check_mk/COPYING + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir -i + dh_install -i + dh_installdocs -i debian/README.Debian + dh_installchangelogs -i ChangeLog + dh_installexamples -i + dh_install -i + dh_installman -i + dh_link -i + dh_strip -i + dh_compress -i + dh_fixperms -i + dh_installdeb -i + dh_shlibdeps -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir -a + dh_testroot -a + dh_installchangelogs -a ChangeLog + dh_installdocs -a debian/README.Debian + dh_installexamples -a + dh_install -a + chmod +x debian/check-mk-server/usr/share/check_mk/checks/* + sed -i -e 's/nagiosadmin/icingaadmin/g' debian/check-mk-config-icinga/etc/check_mk/multisite.mk +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_python +# dh_installinit +# dh_installcron +# dh_installinfo + dh_installman -a + dh_link -a + dh_strip -a + dh_compress -a + dh_fixperms -a +# dh_perl +# dh_makeshlibs + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +patch: patch-stamp +patch-stamp: + @echo "Doing $@" + dpatch --with-cpp apply-all + dpatch --with-cpp cat-all >patch-stamp + +unpatch: + @echo "Doing $@" + dpatch --with-cpp deapply-all + rm -rf patch-stamp debian/patched + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- check-mk-1.2.8p16.orig/debian/source/format +++ check-mk-1.2.8p16/debian/source/format @@ -0,0 +1 @@ +1.0 --- check-mk-1.2.8p16.orig/debian/watch +++ check-mk-1.2.8p16/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://mathias-kettner.com/check_mk_download_source.html download/check_mk-(1\.2\.[p\d\.]*)\.tar\.gz