From lm at mathias-kettner.de  Tue Jan 20 11:53:09 2015
From: lm at mathias-kettner.de (Lars Michelsen)
Date: Tue, 20 Jan 2015 11:53:09 +0100 (CET)
Subject: Check_MK Werk 1873: Escaping event text of event console messages
 correctly in views
Message-ID: <20150120105309.BFA838080F@mail.mathias-kettner.de>

ID:          1873
Title:       Escaping event text of event console messages correctly in views
Component:   Event Console
Level:       1
Class:       Security Fix
Version:     1.2.7i1

Event texts of messages which have been processed by the event console
and resulted in a event might contain HTML code which is now escaped
correctly to prevent XSS attacks when shown in the event console views.


From lm at mathias-kettner.de  Tue Jan 27 08:48:58 2015
From: lm at mathias-kettner.de (Lars Michelsen)
Date: Tue, 27 Jan 2015 08:48:58 +0100 (CET)
Subject: Check_MK Werk 1878: Fixed possible shell injection when filtering the
 EC archive
Message-ID: <20150127074858.BDB6A80806@mail.mathias-kettner.de>

ID:          1878
Title:       Fixed possible shell injection when filtering the EC archive
Component:   Event Console
Level:       2
Class:       Security Fix
Version:     1.2.7i1

To optimize searches in the Event Console archive files, the event console
uses "grep" to make a fast preselection of history entries. The grep command
is used for different filters, like the "ID of rule". This allows normal logged
in users with only GUI privileges to execute shell commands on the monitoring
host with privileges of the user the Event Console is running with. Normally
this is the sites user in OMD sites or the user nagios.

All currently maintained versions are affected. If you are using an affected
version which we offer no more releases for, you can use the patch of
this Werk to fix the issue for your version.

This issue has been discovered and reported by Christian Thiemann. Thanks!