[Checkmk Announce] New Checkmk stable release 1.6.0p28

Dear friends of Checkmk,
the new stable release 1.6.0p28 of Checkmk is ready for download.
This maintenance release ships with 18 changes affecting all editions of Checkmk, 3 Enterprise Edition specific changes and 1 Managed Services Edition specific changes.

Changes in all Checkmk Editions:
Checks & agents: * 13602 Maximal size of a plugin for Windows agent is 64 MB * 13521 FIX: mcafee_av_client: Fix ValueError (time data u'search:' ...) * 13494 FIX: mongodb_counters: Fix “ValueError: too many values to unpack (expected 3)” * 13488 FIX: postgres_conn_time: Fix stale service in case of one single database * 13223 FIX: Agent vSphere: Fix time offset error for ‘systemtime’ service * 13525 FIX: Autochecks file corruption due to “‘” in parameters * 13597 FIX: Windows agent supports Unicode symbols in logwatch section * 13557 FIX: agent_vsphere: wrongly configured connection timeout leads to high CPU usage * 13686 FIX: mssql_blocked_sessions: use new service description by default
Event console: * 13091 FIX: Fixed event console time filters
Linux distributions: * 13637 Backport support for SLES 15 SP3
Other components: * 13321 SEC: NagVis: Updated to 1.9.29 (Fix possible deletion of arbitrary files) * 13316 FIX: Checkmk now requires Appliance firmware 1.4.17 or newer
Setup: * 13717 SEC: Persistant XSS in Predefined Conditions * 13314 SEC: Distributed monitoring: Do not log site secret on remote site * 13716 SEC: Persistant XSS in Notification configuration * 12395 FIX: LDAP: Fix ‘Sync-Plugin: Roles’ if ‘#’ is used in distinguish name * 12332 FIX: Stale status of host is correctly determined when host is not reachable
Changes in the Checkmk Enterprise Edition:
Core & setup: * 13087 FIX: Remove ad hoc restrictions in the generic check helper protocol.
Setup: * 12333 FIX: Disabled possibility to add too big files to the agent installer
The Check_MK Micro Core: * 13089 FIX: Fixed logging with microsecond timestamps
Changes in the Checkmk Managed Services Edition:
User interface: * 13370 FIX: Fix LDAP synchronisation of customer attribute NOTE: Please refer to the migration notes!
You can download Checkmk from our download page: * checkmk.com/download.php
Please mail bug reports and qualified feedback to feedback@checkmk.com. We greatly thank you for using Checkmk and wish you a successful monitoring,
Your Checkmk Team

[USN-5310-1] GNU C Library vulnerabilities

========================================================================== Ubuntu Security Notice USN-5310-1 March 01, 2022
glibc vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 21.10 – Ubuntu 20.04 LTS – Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in GNU C Library.
Software Description: – glibc: GNU C Library
Details:
Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could possibly use this issue to cause the GNU C Library to hang or crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2021-3326)
Jason Royes and Samuel Dytrych discovered that the GNU C Library incorrectly handled signed comparisons on ARMv7 targets. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-6096)
It was discovered that the GNU C Library nscd daemon incorrectly handled certain netgroup lookups. An attacker could possibly use this issue to cause the GNU C Library to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-27645)
It was discovered that the GNU C Library wordexp function incorrectly handled certain patterns. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-35942)
It was discovered that the GNU C Library realpath function incorrectly handled return values. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 21.10. (CVE-2021-3998)
It was discovered that the GNU C library getcwd function incorrectly handled buffers. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-3999)
It was discovered that the GNU C Library sunrpc module incorrectly handled buffer lengths. An attacker could possibly use this issue to cause the GNU C Library to crash, resulting in a denial of service. (CVE-2022-23218, CVE-2022-23219)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.10: libc6 2.34-0ubuntu3.2
Ubuntu 20.04 LTS: libc6 2.31-0ubuntu9.7
Ubuntu 18.04 LTS: libc6 2.27-3ubuntu1.5
After a standard system update you need to reboot your computer to make all the necessary changes.
References: ubuntu.com/security/notices/USN-5310-1 CVE-2016-10228, CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2020-6096, CVE-2021-27645, CVE-2021-3326, CVE-2021-35942, CVE-2021-3998, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219
Package Information: launchpad.net/ubuntu/+source/glibc/2.34-0ubuntu3.2 launchpad.net/ubuntu/+source/glibc/2.31-0ubuntu9.7 launchpad.net/ubuntu/+source/glibc/2.27-3ubuntu1.5