Artifact Content

Artifact e49d43176638b31df92c697ecfe0ed8ce896ef25d52ab2cc04b9c7a7bbf58109:

           * * *   Release notes for Xymon 4.3.19   * * *

This documents the important changes between Xymon releases, i.e.
changes you should be aware of when upgrading.

For a full list of changes and enhancements, please see the 
Changes file.

Changes for 4.3.19
This is mostly a bugfix release (see the Changes file for a full list), 
but there are some enhancements:

Apache 2.4 syntax is now supported by the sample xymon.conf file.

EXTIME= syntax in analysis.cfg and alerts.cfg files is now supported.
Note that this exclusion is applied *after* any normal TIME= 
specifiers. (If a TIME= modifier is present, then times outside of
that range are already excluded.)

An Acknowledgements report CGI is now available, similar to 
the Notifications report. (Thanks, Andy Smith)

Client logs with multiple trigger lines found are guaranteed to have all
the sections returned, even if this exceeds the "maxbytes" specified (up to
the compiled-in limit). Additionally, the "current" location of new log 
data written since the last time xymonclient was run is now marked for 
reference. (Thanks, Franco Gasperino)

A new "deltacount" option is available in client-local.cfg. It functions
similarly to "linecount" for a given log: entry, but only counts matching 
lines written in the log file since the last run.

Additional filtration options are available for the xymondboard command,
including the full body of the message, and acknoweldgement and disable
comments. Also, inequalities can be used to filter an epoch timestamp
against any of: lastchange, logtime, validtime, acktime, or disabletime.
See the xymon(1) man page for details.

The process list visible in the 'procs' test of Linux and FreeBSD clients
is now generated in ASCII "forest" mode for increased legibility.

Changes for 4.3.18
4.3.18 fixes a buffer overflow vulnerability in the acknowledge.cgi
script (CVE-2015-1430). All users are encouraged to upgrade.

Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.

In previous versions, the Xymon web CGI programs were run through
a shell-script wrapper, which took care of setting up the environment
for the Xymon programs. In light of the bash 'Shell shock' bug, this
is no longer the case. Instead, a binary 'cgiwrap' utility is used
to load the xymonserver.cfg and cgioptions.cfg files before invoking
the CGI programs. This means that the cgioptions.cfg file is no longer 
parsed as a shell script, so if you rely on this then it will no 
longer work. In that case you must replace the symlink(s) in 
xymon/cgi-bin/ with shell script wrappers which source the 
cgioptions.cfg file.

Changes for 4.3.15 - 4.3.17
No significant changes.

Changes for 4.3.14
In previous Xymon versions, a client-only configuration (i.e. one
configured with "./configure --client") would place the client
files in a "client" subdirectory below the directory specified 
during configuration. This is the same directory layout as a server 
installation, where the server and client parts of Xymon are
in separate subdirectories.
In 4.3.14, the default has changed so a client-only installation
now installs in the directory given during the configure-step.
The "/client" has been eliminated, so if you are upgrading an
existing client you must either move the old client installation
one level up from the "client/" directory, or change the Makefile
generated by "configure --client" and add "/client" to the 

The SNI support added in 4.3.13 causes problems with some older
webservers, whose SSL implementation cannot handshake correctly
when SNI is used. The failed handshake causes Xymon to report
the site as down. In 4.3.14, the default is changed so SNI is
disabled. A new "--sni" option was added to xymonnet to control the
default setting, and two new tags "sni" and "nosni" can be used in 
hosts.cfg to control SNI for each host that is tested.

Changes for 4.3.13
This is mostly a bugfix release. Apart from simple bugs (see
the Changes file), there are some enhancements:

Alerts sent via e-mail have <CR><NL> line-endings converted
to plain <NL>, since the carriage-return characters would
cause some mailers to send alerts as a (binary) attachment
to an empty mail message.

https-URL's can be forced to use TLS only, by using 
"httpst://..." similar to how SSLv2 and SSLv3 can be chosen.

SSL connections (e.g. for https URL's) now use the TLS 
"Server Name Indication" (SNI) if your OpenSSL library 
supports it. This allows testing of systems that have 
multiple SSL websites located on the same physical IP+port 
(i.e. virtual name-based hosts).

Changes for 4.3.12
NOTE: This release includes a bugfix for a security issue
in the xymond_history and xymond_rrd modules. A "drophost"
command sent to the xymond port (default: 1984) from an IP
listed in the --admin-senders access control list can be
used to delete files owned by the user running the xymond 
daemon. This is allowed by default, so it is highly recommended
to install this update.

Changes for 4.3.2 - 4.3.11
See the Changes file for a list of significant changes.
These releases are mostly to fix bugs.

NOTE: Some configuration parameters have changed, so you must 
regenerate the top-level Makefile by running the "configure" 
script before compiling the new version.

The inode-check introduced in 4.3.8 and 4.3.10 requires
that you update both the Xymon server installation and the
Xymon client on the systems where you want to monitor how
many inodes are being used.

Changes for 4.3.1
This is a SECURITY BUG FIX release, resolving a number of 
potential cross-site scripting vulnerabilities in the Xymon 
web interface.

Thanks to David Ferrest who reported these to me.

Changes for 4.3.0
IMPORTANT: Most files and internals in Xymon have been renamed
with the 4.3.0-beta3 release. If you are upgrading from a
version prior to 4.3.0-beta3, you MUST read the file 
docs/upgrade-to-430.txt and make sure you follow the steps
outlined here. That also applies if you are upgrading from

Xymon 4.3.0 is the first release with new features after 
the 4.2.0 release. Several large changes have been made
throughout the entire codebase. Some highlights (see
the Changes file for a longer list):

* Data going into graphs can now be used to alter a status,
  e.g. to trigger an alert from the response time of a network
* Tasks in xymonlaunch can be be configured to run at specific
  time of day using a cron-style syntax for when they must run.
* Worker modules (RRD, client-data parsers etc) can operate on
  remote hosts from the xymond daemon, for load-sharing.
* Support for defining holidays as non-working days in alerts and
  SLA calculations.
* Hosts which appear on multiple pages in the web display can
  use any page they are on in the alerting rules and elsewhere.
* Various new network tests: SOAP-over-HTTP, HTTP tests with
  session cookies, SSL minimum encryption strength test.
* New "compact" status display can group multiple statuses into
  one on the webpage display.
* Configurable periods for graphs on the trends page.
* RRD files can be configured to maintain more data and/or
  different data (e.g. MAX/MIN values)
* SLA calculations now include the number of outages in addition
  to the down-time.
* Solaris client now uses "swap -l" to determine swap-space
  usage, which gives very different results from the previous
  "swap -s" data. So your Solaris hosts will appear to change
  swap-utilisation when the Xymon client is upgraded.

TRACKMAX feature removed
For users of the TRACKMAX feature present in 4.2.2 and
later 4.2.x releases: This feature has been dropped. Instead,
you should add a definition for the tests that you want to track
max-values for to the rrddefinitions.cfg file. E.g. to
track max-values for the "mytest" status column:


Changed behaviour of http testing via proxy
The Big Brother behaviour of allowing you to specify an http 
(web) proxy as part of the URL in a test has been disabled
by default, since it interferes with URL's that contain
another URL as part of the URL path. If you need the Big Brother
behaviour, add "--bb-proxy-syntax" to your invocations of 

BBGHOSTS setting removed
Setting BBGHOSTS in the xymonserver.cfg file no longer has any
effect. Instead, you must use the "--ghosts" option for hobbitd.
The default ghost handling has also been changed from "ignore"
to "log".

xymonproxy: Alert support for Big Brother servers removed
The xymonproxy tool no longer supports forwarding "page"
messages. This means that if you are forwarding messages
from an old Big Brother client to a Big Brother server
that is sending out alerts, then these alerts will be
dropped. Status updates will be forwarded, only alerts
triggered from the Big Brother server are affected.

Webpage menu: New menu code
The Javascript-based menu code ("Tigra") has been replaced
with a menu based on CSS/HTML4. This means that any menu
customization will have to be manually transferred to the
new menu definition file, ~xymon/server/etc/xymonmenu.cfg.
The new menu-system is known NOT to work with Internet
Explorer 6 (IE 7 and newer are fine). If you must have a
menu system that works with the ancient browsers, then the
old Tigra menu can be downloaded from
together with instructions for using it with Xymon 4.3.0.