Nagios Core 4.x Version History

4.3.4 – 2017-08-24

FIXES

  • Improved config file parsing (Mark Felder)
  • Fixed configure script to check for existence of /run for lock file (in regards to CVE-2017-12847, Bryan Heden)
  • Use absolute paths when deleting check results files (Emmanuel Dreyfus)
  • Add sanity checking in reassign_worker (sq5bpf)

 

4.3.3 – 2017-08-12

FIXES

  • xodtemplate.c wrong option-deprecation code warning (alex2grad / John Frickson)
  • On-demand host check always use cached host state (John Frickson)
  • ‘á’ causes Serivce Status Information to not be displayed (John Frickson)
  • New Macro(s) to generate URL for host / service object (John Frickson)
  • Fix minor map issues (Troy Lea)
  • Fix lockfile issues (Bryan Heden)
  • Switch order of daemon_init and drop_priveleges (Bryan Heden)
  • Add an OpenRC init script (Michael Orlitzky)

 

4.3.2 – 2017-05-09

FIXES

  • Every 15sec /var/log/messages is flooded with “nagios: set_environment_var”
  • Changed release date to ISO format (yyyy-mm-dd)
  • `make all` fails if unzip is not installed
  • Quick Search no longer allows search by Alias
  • flexible downtime on a service immediately turns off notifications
  • Fix to allow url_encode to be called twice
  • Update timeperiods.cfg.in (spelling)
  • Spelling fixes
  • Vent command pipe before remove to avoid deadlocks on writing end
  • CGI utility cgiutil.c does not process relative config file path names properly
  • xdata/xodtemplate.c bug in option-deprecation code
  • Wildcard searching causes service status links to not work properly
  • Quick search with no hits shows a permission denied error
  • Setting a service as its own parent is not caught by the sanity checker (-v) and causes a segfault

 

4.3.1 – 02/23/2017

FIXES

  • Backed out the changes related to the “login page” and “logoff link” from 4.3.0, since it was causing problems
  • Service hard state generation and host hard or soft down status
  • Comments are duplicated through Nagios reload
  • host hourly value is incorrectly dumped as json boolean
  • Bug – Quick Search no longer allows search by IP
  • Config: status_update_interval can not be set to 1
  • Check attempts not increasing if nagios is reloaded
  • nagios hangs on reload while sending external command to cmd file
  • Feature Request: return code xxx out of bounds – include message as well

 

4.3.0 – 02/21/2017

SECURITY

  • Fix for CVE-2016-6209 – The “corewindow” parameter (as in http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by default. See the UPGRADING document for how to enable it.

ENHANCEMENTS

  • Added new flag to cgi.cfg: tac_cgi_hard_only to show only HARD state
  • Add broker-event for the end of a timed event (NEBTYPE_TIMEDEVENT_END)
  • There is no Macro to retrieve addresses of hostgroup members (now $HOSTGROUPMEMBERADDRESSES$)
  • Add “Page Tour” videos to several of the core web pages
  • Added a login page, and a `Logoff` links
  • On the status map, the host name will be colored if services are not all OK.
  • Added “Clear flapping state” command on host and services detail pages.
  • User-entered comment now displays below generated comment for downtime

FIXES

  • Fix early event scheduling
  • on-demand host checks triggered by service checks cause attempt number increments
  • Service notification not being send when host is in soft down state
  • configure does not error if no perl installed on CentOS 7
  • failed passive requests leave .ok files in checkresults dir
  • Services don’t show in status.cgi if “noheader” specified
  • Standardized check interval config file names
  • “Event Log” (showlog.cgi) could not open log file
  • “nagios_check_command” has been deprecated since v3.0. Last vestiges removed

4.2.4 – 12/07/2016

SECURITY

  • Fixed another root privilege escalation (CVE-2016-9566) Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com).

4.2.3 – 11/21/2016

SECURITY

  • There was a fix to a root privilege escalation (CVE-2016-8641)

FIXES

  • external command during reload doesn’t work
  • Nagios provides no error condition as to why it fails on the verify for serviceescalation
  • No root group in FreeBSD and Apple OS X
  • jsonquery.html doesn’t display scheduled_time_ok correctly
  • daemon_dumps_core=1 has no effect on Linux when Nagios started as root
  • Configuration check in hostgroup – misspelled hostname does not error
  • contacts or contact_groups directive with no value should not be allowed
  • Compile 64-bit on SPARC produces LD error
  • HOSTSTATEID returns 0 even if host does not exist
  • Submitting UNREACHABLE passive result for host sets it as DOWN if the host has no parents
  • nagios: job XX (pid=YY): read() returned error 11 (changed from LOG_ERR to LOG_NOTICE)
  • Fix for quick search not showing services if wildcard used

 

4.2.2 – 10/24/2016

SECURITY

  • (CVE-2016-9565) There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on August 1, 2016. The fix was apparently incomplete, as there was still a problem. However, we are now getting all RSS feeds using AJAX calls instead of the (outdated) MagpieRSS package. Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com).

ENHANCEMENTS

  • Update status.c to display passive check icon for hosts when passive checks are enabled and actives disabled

FIXES

  • Fix permissions for Host Groups reports (status.cgi)
  • Service Parents does not appear to be functioning as intended
  • Availability report mixes up scheduled and unscheduled warning percentages
  • Invalid values for saved_stamp in comput_subject_downtime_times()
  • Remove deprecated “framespacing”
  • The nagios tarball contains two identical jquery copies
  • extinfo.cgi does not set content-type (most cgi’s don’t)
  • Timeperiods are corrupted by external command CHANGE_SVC_CHECK_TIMEPERIOD
  • Quick search doesn’t show hosts without services (service status detail page)
  • In host/services details view, if exactly 100 entries would not show last one
  • nagios host URL parameter for NEW map doesn`t work – Network Map for All Hosts
  • next_problem_id is improperly initialized
  • Passive problems not showing as “unhandled”
  • September reported as Sept instead of Sep
  • Notifications are not sent for active alerts after scheduled downtime ends
  • Nagios 4.2.0 not working on Solaris
  • install-exfoliation and install-classicui don’t work FreeBSD and Mac OS X
  • Updated makefile to delete some no-longer-needed files

4.2.1 – 09/06/2016

FIXES

  • Fix undefined variable php error
  • Links on the sidebar menu under ‘Problems’ are indented too far
  • Using $ARGn$ Macros in perfdata
  • using a wildcard in search returns service status total all zero’s
  • read_only does not take priority
  • Running nagios -v on 4.2.0 takes 90+ seconds
  • Bare “make” invoked in subtarget
  • Theme images/stylesheets installed with inconsistent permissions
  • Missing Image for Host and Service State Trends in Availability Report
  • Maintain non-persistent comments through reload
  • Servicegroup availability report ignores includesoftstates in service report links
  • error: format not a string literal and no format arguments
  • Synced config.guess and config.sub with GNU

4.2.0 – 08/01/2016

SECURITY

  • Fix for CVE-2008-4796
  • Fix for CVE-2013-4214
  • Fix for a Cross-Site Request Forgery attack vulnerability

ENHANCEMENTS

  • Increase socket queue length to avoid missing any connections
  • Added the host name to the website page title
  • The new Status Map will now use cgi.cfg options
  • The default_statusmap_layout will default to “6” for the new map
  • The new Status Map will now show some valid values in the popup for “Nagios Process”

FIXES

  • Network Outage will now work for people who don’t have access to all hosts
  • Fixed a problem that caused workers to loop
  • Fixed how HTML output from plugins gets handled
  • Fix for Command worker failing to handle SIGPIPE
  • Fix for some “Core Worker seems to be choked” conditions
  • Fixed a CPU load problem during polling on FreeBSD
  • Fixed a CPU load problem with workers
  • Flexible downtime no longer reported as “unscheduled”
  • Setting “flap_detention_enabled” to 0 (zero) will now remove flapping state
  • Several fixes to the new maps
  • Better handling of UTF-8 characters in plugin output
  • Reports were not handling custom time periods with special characters
  • A couple of fixes to the init script
  • Fixes to the JSON output
  • State history now uses plugin long output

 

4.1.1 – 08/19/2015

FIXES

  • Fixed CGI’s not being able to read object configuration data when dependencies were present (John Frickson)
  • Fix for exclude (!) not working for dependencies (John Frickson)

4.1.0 – 08/18/2015

ENHANCEMENTS

  • Make sticky status for acks and comments configurable enhancement #20 (Trevor McDonald / Scott Wilkerson)
  • Add host_down_disable_service_checks directive to nagios.cfg #44 (Trevor McDonald / Scott Wilkerson)
  • Promoted JSON CGIs to released status (Eric Stanley)
  • New graphical CGI displays: statusmap, trends, histogram (Eric Stanley)
  • httpd.conf doesn’t support Apache version > 2.3 (DanielB / John Frickson)

FIXES

  • Fix for not all service dependencies created (John Frickson)
  • Fix SIGSEGV with empty custom variable (orbis / John Frickson)
  • Fix contact macros in environment variables (dvoryanchikov)
  • Fixed host’s current attempt goes to 1 after going to hard state (John Frickson)
  • Fixed two bugs/problems: Replace use of %zd in base/utils.c & incorrect va_start() in cgi/jsonutils.c (Peter Eriksson)
  • Fixed: Let remove_specialized actually remove all workers (Phil Mayers)
  • Fixed log file spam caused when using perfdata command directives in nagios.cfg (shashikanthbussa)
  • Fixed off-by-one error in bounds check leads to segfault (Phil Mayers)
  • Added links for legacy graphical displays (Eric Stanley)
  • Update embedded URL’s to https versions of Nagios websites (scottwilkerson)
  • Fixed doxygen comments to work with latest doxygen 1.8.9.1 #30 (Trevor McDonald)
  • Fixed makefile target “html” to PHONY to fix GitHub issue #28 (Trevor McDonald)
  • Fixed typo as per GitHub issue #27 (Trevor McDonald)
  • Fixed jsonquery.php 404 not found error, and disabled Send Query button until form populates #43 (Scott Wilkerson)
  • Fixed linking in Tactical Overview for several of the Host entries in Featured section #48 (Scott Wilkerson)
  • Fixed passing limit and sort options to pagination and sort links #42 (Scott Wilkerson)
  • Added form field for icon URL and clean-up when it changes in CGI Status Map. (Eric Stanley)
  • Added options to cgi.cfg to uncheck sticky and send when acknowledging a problem (Trevor McDonald)
  • Low impact changes to automate the generation of RPMs from nagios.spec file. (T.J. Yang)
  • Update index.php (Trevor McDonald)
  • Fixed escaping of corewindow parameter to account for possible XSS injection (Scott Wilkerson)
  • Typo correction (T.J. Yang)
  • Make getCoreStatus respect cgi_base_url (Moritz Schlarb)
  • Adjusted map layout to work within frames (Eric Stanley)
  • Fixed map displays are now the full size of browser window (Eric Stanley)
  • Fixed labels and icons on circular markup no longer scale on zoom (Eric Stanley)
  • Got all maps except circular markup working with icons (Eric Stanley)
  • Fixes to make legacy CGIs work again. (Eric Stanley)
  • Fixes to make all/html target tolerant of being run multiple times (Eric Stanley)
  • For user-supplied maps, converted node group to have transform (Eric Stanley)
  • Fixed issue transitioning from circular markup map to other maps (Eric Stanley)
  • Fix displayForm to trigger on the buttom press (Scott Wilkerson)
  • Fix fo getBBox crash on Firefox (Eric Stanley)
  • Fixed map now resets zoom when form apply()’d (Eric Stanley)
  • Fixed so close box on dialogs actually closes dialog (Eric Stanley)
  • Corrected directive in trends display (Eric Stanley)
  • Fixed minor issue with link in trends linkes (Eric Stanley)
  • Fixed issue with map displaying on Firefox (Eric Stanley)
  • Added exclusions for ctags generation (Eric Stanley)
  • Update map-popup.html (Scott Wilkerson)
  • Initial commit of new graphical CGIs (Eric Stanley)
  • Fixed Github bug #18 – archivejson.cgi returns wrong host for state change query (Eric Stanley)
  • Status JSON: Added next_check to service details (Eric Stanley)
  • Fixed escaping of keys for scalar values in JSON CGIs (Eric Stanley)
  • build: Include <sys/loadavg.h> if it exists. (Eric J. Mislivec)
  • lib-tests: test-io{cache|broker} need -lsocket to link. (Eric J. Mislivec)
  • lib-tests: test-runcmd assumes GNU echo. (Eric J. Mislivec)
  • lib-tests: Signal handlers don’t return int on most platforms, and using a cast was the wrong way to resolve this. (Eric J. Mislivec)
  • Fix some type/format mismatch warnings for pid_t. (Eric J. Mislivec)
  • Fix build on Solaris. (Eric J. Mislivec)
  • runcmd: Fix build when we don’t HAVE_SETENV. (Eric J. Mislivec)
  • Fixed checkresult output processing (Eric Mislivec)
  • Corrected escaping of long output macros (Eric Mislivec)
  • Fixed null pointer dereferences in archive JSON (Eric Stanley)
  • Fixed memory overwrite issue in JSON string escaping (Eric Stanley)
  • JSON CGI: Now escaping object and array keys (Eric Stanley)

4.0.8 – 08/12/2014

ENHANCEMENTS

  • Removed 8 kB string size limitation in JSON CGIs (Eric Stanley)
  • Re-implemented auto-rescheduling of checks (Eric Mislivec)
  • Avoid bunching of checks delayed due to timeperiod constraints (Eric Stanley)
  • Limit the number of autocalculated core workers to not spawn too many on large systems (Eric Mislivec, Janice Singh)

FIXES

  • Removed quotes from numeric duration values in JSON CGIs (Eric Stanley)
  • Fixed escaping in JSON CGIs so all required characters are escaped, and in the correct order (Eric Stanley)
  • Fixed segfault in archive JSON CGI when plugin output was empty (Eric Stanley)
  • Fixed several possibilities for buffer overflow (Eric Mislivec, Dirkjan Bussink)
  • Fixed Tracker #582, #626: Handle VAR=VAL assignments at the start of simple commands (Eric Mislivec, Phil Randal)
  • Fixed Tracker #630: Recognize ‘<‘ and ‘>’ as redirection operators (Eric Mislivec)
  • Corrected worker communication protocol documentation (Phil Mayers)
  • Fixed init script to leave config test log in a better location, let sysconfig override init script variables, and not remove nagios.cmd when attempting to start with another instance running (Eric Mislivec, Robin Kearney)
  • Fixed Tracker #361: Downtime notifications not displayed properly (Andrew Widdersheim)

4.0.7 – 06/03/2014

ENHANCEMENTS

  • Added value of custom variables to Object JSON output for hosts, services and contacts (Eric Stanley)

FIXES

  • Fixed bug #616: Unescape plugin output read from checkresult files, fix multiline perf data concatenation, and avoid extra memory allocation and copies. (Eric Mislivec)
  • Fixed bug #609: Image on home page doesn’t have correct image path prefix. (Derek Brewer)
  • Fixed bug #608: Extra newline in service check timeout output string. (Mauno Pihelgas)
  • Fixed bug #596: Crashes checking contact authorization for host escalations. (Alexey Dvoryanchikov – duplicates #590, #586)
  • Fixed bug #496: Syntax error in exfoliation’s common.css. (Karsten Weiss)

4.0.6 – 04/29/2014

ENHANCEMENTS

  • Added name of authenticated user to JSON CGI results object (Eric Stanley)
  • Added Nagios Core version to the Status JSON CGI programstatus query (Eric Stanley)
  • Added daemon status to main page (Eric Mislivec)

FIXES

  • Fixed bug #600: Service Check Timeout State always returns OK (0) status (Mauno Pihelgas, Eric Stanley)
  • Fixed bug #583: Status Check Output of (No output on stdout) stderr: (Eric Stanley – duplicate of bug #573)
  • Fixed bug #573: Service checks returns (No output on stdout) stderr (Eric Stanley)
  • Fixed bug #438: Reloads during downtime causes wrong availability calculations (Eric Stanley)
  • Fixed feed updates when daemon can not access external networks (Eric Mislivec)
  • Archive JSON: Fixed bugs calculating availability (Eric Stanley)
  • Archive JSON: Allow missing logs to be skipped (Eric Stanley)

4.0.5 – 04/11/2014

FIXES

  • Fixed bug #595: Nagios 4 security fix (Alexey Dvoryanchikov, Eric Stanley)
  • Fixed bug #594: Nagios 4 fix contactgroups parsing (Alexey Dvoryanchikov, Eric Stanley)
  • Fixed bug #577: Nagios 4 checks stalled when write to socket failed (Alexey Dvoryanchikov)
  • Fixed bug #580: Nagios 4 memory leak (Eric Stanley)
  • Fixed init script to remove the switching of users when performing configuration verification which was causing failures if nagios user was set to nologin (Scott Wilkerson)
  • Fixed auto creation of RAMDISK via environment variables in init script to properly check existence using $RAMDISK_DIR environment variable. (Scott Wilkerson)
  • Fixed unreferenced variable NagiosVarDir in daemon-init (Eric Mislivec)
  • Fixed bug where audio alerts wouldn’t work with a 0 height and width – https://support.nagios.com/forum/viewtopic.php?t=26387 (Scott Wilkerson)

4.0.4 – 03/14/2014

ENHANCEMENTS

  • JSON CGIs moved to beta status (Eric Stanley)

FIXES

  • Fixed bug #491,#553: Rebuilt the daemon-init scripts back to something that should work on all systems (Scott Wilkerson)

4.0.3 – 02/28/2014

ENHANCEMENTS

  • Aliased hourly_value to importance and minimum_value to minimum_importance and deprecated the former (Eric Stanley)
  • Added host and service importance macros (Eric Stanley)
  • Added notifications on flexible downtime expiration (Dan Wittenberg)

FIXES

  • Bug #548: Temporary fix that rejects all external command during restart to prevent Core from crashing (Eric Stanley)
  • Corrected calculation of host importance and importance defaults (Eric Stanley)
  • Fixed bug #498: Nagios 4 enable_environment_macros=1 not working (Eric Stanley, Alexey Dvoryanchikov)
  • No longer checks whether logs can be written when verifying configuration (Eric Stanley)
  • Fixed CGI bug where the CGI could read past the end of the list of CGI variables, potentially crashing the CGI (Scott Wilkerson)
  • Fixed inheritance of hourly_value from host and service templates (Scott Wilkerson)
  • Fixed bug #502: 4.0.0: Configuration -> Service Escalations = incomplete list (Eric Stanley)
  • Fixed bug #523: quotes and double quotes in plugin message are converted to HTML escapes in Nagios 4.0 (duplicate of bug #524)
  • Fixed bug #524: URLs returned in plugin check results are not correctly displayed (Eric Stanley)
  • Fixed bug where passive service checks would return “Service check timed out after 0.00 seconds” (Scott Wilkerson)

4.0.2 – 11/25/2013

FIXES

  • Fixed bug 528: Nagios 4.0.1: Logrotation: Only current host- and servicestates saved in rotated logfiles (duplicate of 507)
  • Fixed bug 507: Nagios 4.0.0 – Problem during log rotate (Stefano Ghelfi)
  • Fixed bug 530: RPM spec file sets wrong permissions on plugins directory (duplicate of bug 494)
  • Fixed bug 494: nagios.spec fixes (with patch) (Karsten Weiss)
  • Fixed bug 515: Segsegv after starting up nagios (duplicate of bug 526)
  • Fixed bug 513: Crash while entering downtime for service (duplicate of bug 526)
  • Fixed bug 529: Core Worker failed to reap child in 4.0.1 Description
  • Fixed bug 514: scheduled downtime not showing in web interface (Eric Stanley)
  • Fixed bug 526: sort_downtime() corrupts scheduled_downtime_list causing segfault (Adam James)
  • Fixed bug 492: Nagios 4 fails to remove/add checks upon reload (Eric Stanley)
  • Fixed Bug 484: Beta4.0.0b4 service checks returning (No output on stdout) (Eric Stanley)
  • Fixed Bug 470: statusmap doesn’t display info (Cameron Moore)
  • Fixed Bug 499: Security issue in daemon-init.in, function check_config (Tómas Edwardsson)

4.0.1 – 10/15/2013

ENHANCEMENTS

  • Added compiler flags in RPM spec file to reduce compiler noise (Dan Wittenberg)
  • Added logging of failure in dlclose() call (Anton Lofgren)
  • Added a simple query handler interface, nagios-qh.rb (Dan Wittenberg)
  • Multiple code simplifications, additional error handling in downtime code (Andreas Ericsson)

FIXES

  • Reverted commit f99a9a7b which set check_interval to 1 if it was configured as zero.
  • Corrected order of arguments when logging unknown hosts/services (Scott Wilkerson)
  • Downtime initialized before retention data read (Eric Stanley)
  • Patches to make RPM build again (Dan Wittenberg)
  • Ensure that scheduled_downtime_depth never drops below zero (Andreas Ericsson)

4.0.0 – 09/20/2013

See changes in What’s New page of documentation