Due to the recent fixes in 1.4.1 the XSS vulnerability caused the command expander in config.cgi not to work as expected. Alongside this bug, there were various other things to resolve while working on the 1.5 dev branches. All important fixes have been backported into 1.4 tree and can now be found in a revamped 1.4.2 release on Core, Classic UI and IDOUtils.
Download 1.4.2 now or wait for your distribution to push updated packages 🙂 Special note: 1.4.2 does not require IDOUtils DB upgrading.

  • core: fix freshness_threshold problem in host checks by using check_interval in HARD or OK state, else retry_interval (like service checks) #1331
  • classic ui: add a check for status data freshness into cgis #1667
  • classic ui: re-fix xss vulnerability and string escaping for command expansion #1605 #1624
  • classic ui: remove sidebar.html inclusion in index.html causing troubles on reload #1632
  • classic ui: fixed: User can execute host/servicegroup commands even if not authorized for (Sven Nierlein) #1679
  • classic ui: fixed: plugin_output_short didn’t get checked properly and caused segfault in status.cgi #1673
  • idoutils: do not update start_time of already started downtimes #1658
  • idoutils: fix started downtime update for table scheduleddowntime in oracle #1658
  • install: fix make install-idoutils overwrites sample – adding idoutils.cfg-sample instead #1625

Please report any bugs/feature requests/etc to our development tracker and/or community channels! 🙂