Xymon 4.3.1 released (security fixes)
list Henrik Størner
Hi, I have released Xymon version 4.3.1. It is available from Sourceforge at http://sourceforge.net/projects/xymon/ now. The main reason for a release now following the 4.3.0 release just a month ago is to fix a security issue that was reported to me two days ago. David Ferrest reported that the Xymon web interface was vulnerable to "cross-site scripting" attacks. After the initial report, I have gone through the web UI code and fixed several identical vulnerabilities leading to this release. For those unfamiliar with cross-site scripting, here is the Wikipedia description: "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner." (From http://en.wikipedia.org/wiki/Cross-site_scripting ) Regards, Henrik
list Henrik Størner
Hi,
▸
yesterday I wrote:
I have released Xymon version 4.3.1. It is available from Sourceforge at http://sourceforge.net/projects/xymon/ now.
This has quickly been replaced by 4.3.2 since the fixes in 4.3.1 broke a number of tools, including the history log display. So please use 4.3.2 instead. Sorry for the inconvenience. Regards, Henrik
list Josh Luthman
Thanks for the great work, Henrik =) Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX
▸
On Mon, Apr 4, 2011 at 1:56 AM, Henrik Størner <user-ce4a2c883f75@xymon.invalid> wrote:
Hi, yesterday I wrote: I have released Xymon version 4.3.1. It is available from Sourceforge athttp://sourceforge.net/projects/xymon/ now.This has quickly been replaced by 4.3.2 since the fixes in 4.3.1 broke a number of tools, including the history log display. So please use 4.3.2 instead. Sorry for the inconvenience. Regards, Henrik
list Nick Camaldi
Sorry for the noobish question but we are currently running 4.3.0-beta2, what is the safest way to upgrade to 4.3.2. If i can leave my exsisting instance alone and install a new version and point to prod through a sym link that would be the best. is thier documention where do i start? Thanks for your help. Nick
▸
Date: Mon, 4 Apr 2011 07:56:31 +0200 From: user-ce4a2c883f75@xymon.invalid To: xymon at xymon.com; user-cd41cef042ed@xymon.invalid Subject: [Xymon] Xymon 4.3.2 released Hi, yesterday I wrote:I have released Xymon version 4.3.1. It is available from Sourceforge at http://sourceforge.net/projects/xymon/ now.This has quickly been replaced by 4.3.2 since the fixes in 4.3.1 broke a number of tools, including the history log display. So please use 4.3.2 instead. Sorry for the inconvenience. Regards, Henrik
list Henrik Størner
▸
Sorry for the noobish question but we are currently running 4.3.0-beta2, what is the safest way to upgrade to 4.3.2.
See the docs/upgrade-to-430.txt file in the Xymon source archive. Regards, Henrik
list Henrik Størner
Hi Nick, On Tue, 5 Apr 2011 13:22:21 -0400, Nick Camaldi <user-93c600de5418@xymon.invalid> wrote: [...]
I inherited the Xymon Server from a former employee, who was using 4.3.0 beta2 he had the installation in /opt/admin/xymon/linux/4.3.0-beta2/ The questions i have is this, I want to make sure i don't mess this up
please post this question to the mailing list - there are a lot more people there who can help with this. I've taken the liberty of cc'ing the mailing list here. My quick answer would be: 0) Use a test system - Virtualbox and VMware Player are free, and let you setup a dedicated system for testing the new Xymon version without having to install new hardware. 1) Install the new Xymon version into a new directory. Dont bother with how the old directory layout was - create a setup that you believe is right. 2) Copy the configuration files over from the old setup. You can see in the docs/Renaming-430.txt directory what the mapping is between the old and the new files. There shouldn't be any config files other than those in the ~hobbit/server/etc/ directory, and perhaps some extensions in ~hobbit/server/ext/ 3) Change a couple of the clients on the servers you monitor so they send data to both the old system and the new test system. Just to make sure that client handling works OK. 4) When you're confident that the new setup works, shutdown the old Hobbit installation, copy the setup from your virtual server over to the production system, and everything should work. Regards, Henrik
list Nick Camaldi
If i try and experiment on the same box (making sure everything is backed up) Is the upgrade process an in-place upgrade? During the the ./configure do i specifiy the current install directory or a new directory? If i do it on a test vm where am i copying the files to and will i need to manually change everything or do i run the upgrade script. I'm not following the upgrade procedure. Nick
▸
To: user-93c600de5418@xymon.invalid Subject: RE: [Xymon] Xymon 4.3.2 released Date: Thu, 7 Apr 2011 13:33:37 +0200 From: user-ce4a2c883f75@xymon.invalid CC: xymon at xymon.com Hi Nick, On Tue, 5 Apr 2011 13:22:21 -0400, Nick Camaldi <user-93c600de5418@xymon.invalid> wrote: [...]I inherited the Xymon Server from a former employee, who was using 4.3.0 beta2 he had the installation in /opt/admin/xymon/linux/4.3.0-beta2/ The questions i have is this, I want to make sure i don't mess this upplease post this question to the mailing list - there are a lot more people there who can help with this. I've taken the liberty of cc'ing the mailing list here. My quick answer would be: 0) Use a test system - Virtualbox and VMware Player are free, and let you setup a dedicated system for testing the new Xymon version without having to install new hardware. 1) Install the new Xymon version into a new directory. Dont bother with how the old directory layout was - create a setup that you believe is right. 2) Copy the configuration files over from the old setup. You can see in the docs/Renaming-430.txt directory what the mapping is between the old and the new files. There shouldn't be any config files other than those in the ~hobbit/server/etc/ directory, and perhaps some extensions in ~hobbit/server/ext/ 3) Change a couple of the clients on the servers you monitor so they send data to both the old system and the new test system. Just to make sure that client handling works OK. 4) When you're confident that the new setup works, shutdown the old Hobbit installation, copy the setup from your virtual server over to the production system, and everything should work. Regards, Henrik