According to Nagios web site, this release of Nagios XI includes the latest versions of Nagios Core and ndo2db and it fixes three root privilege escalation vulnerabilities. If not upgraded these vulnerabilities could leave the Nagios XI server vulnerable to attack.
Additionally, several cross-site scripting vulnerabilities were fixed along with about a dozen non-security related bug fixes.
Finally, enhancements were made in the included version of Nagios Core and ndo2db that significantly improve memory utilization along with increasing performance, specifically on installations monitoring a large number of hosts and services.
Below is the full change list:
– Upgraded Nagios Core to version 4.2.4
– Upgraded NDOUtils to version 2.1.2
– Upgraded NRDP to version 1.4.0
– Added combined CSV export option for availability report
– Added support for offloaded databases in the repair_databases.sh script
– Fixed email not being updated for XI Contact when XI User is updated
– Fixed security type not being respected properly by LDAP/AD Integration component
– Fixed issue where system status popup would show white text for non-admins who can view it
– Fixed issue with French translations in LDAP/AD import/manage servers pages
– Fixed various XSS vulnerabilities (BPI url, Scheduled Backups url)
– Fixed issue spaces in mibs cause snmptt to fail (manage mibs page now replaces spaces with _ on upload)
– Fixed text on views popups to not have unprocessed html output in them Core Config Manager (CCM) – 2.6.4 ———————————
– Fixed issue with ID and page number not being an int – Fixed various XSS vulnerabilities (search bar and others)
– Fixed issue with returnUrl set to non-CCM url – Fixed issue with importing contacts/contact groups not importing all contact options – Fixed exclamation points being unable to be used in command arguments in CCM