Changelog
Release Meridian-2023.1.21
Release 2023.1.21 contains a bunch of security updates and an enhancement.
The codename for Meridian 2023.1.21 is Rosita.
Task
-
Update grpc to to the next version to address CVEs (Issue NMS-16180)
-
Update org.apache.kafka:kafka to version 3.6.2 or higher. (Issue NMS-16507)
-
Purge jettison 1.4.x from the system directory (Issue NMS-16513)
-
Update BouncyCastle bcpkix to 1.78 (Issue NMS-16514)
-
Update esapi version to latest (Issue NMS-16515)
-
Update Swagger UI to version 3.23.11 or later to address CVE-2019-17495 (Issue NMS-16546)
-
Update Apache CXF to 4.0.5, 3.6.4 or 3.5.9 or to latest to fix CVE-2024-29736 (Issue NMS-16550)
Configuration
-
Need to Update the Example Event Forwarder Script (Issue NMS-16501)
Release Meridian-2023.1.20
Release Meridian-2023.1.18
Release 2023.1.18 contains a couple of bug fixes.
The codename for Meridian 2023.1.18 is Bert.
Bug
-
Cross-Frame Scripting-CWE ID : 1021 Web scan vulnerability (Issue NMS-16369)
-
Address CVE-2020-15522 (Issue NMS-16384)
-
Querying Alarms by alarmId leads to a page that loses context on refresh (Issue NMS-16417)
-
Stored XSS on "MIB Compiler" (Issue NMS-16444)
-
Stored XSS on "Scheduled Outages" (Issue NMS-16445)
-
Missing Access Control on "Grafana Endpoints" (Issue NMS-16446)
-
Missing Access Control on "Geocoder Configuration" (Issue NMS-16447)
-
Stored XSS on "Node Label" (Issue NMS-16448)
-
Detailed server configuration in the error (Issue NMS-16449)
Release Meridian-2023.1.17
Release Meridian-2023.1.15
Release 2023.1.15 contains a couple of bug fixes.
The codename for Meridian 2023.1.15 is The Lone Ranger.
Bug
-
CVE-2024-3094 investigation (Issue NMS-16396)
Release Meridian-2023.1.14
Release 2023.1.14 contains a bunch of bug fixes and enhancements.
The codename for Meridian 2023.1.14 is Statler.
Release Meridian-2023.1.13
Release 2023.1.13 contains a bunch of small cleanups and bugfixes, and a number of documentation improvements.
The codename for Meridian 2023.1.13 is Elmo.
Bug
-
Last 24 Hours graphs do not update correctly when using Database drivers (Issue NMS-15850)
-
enlinkd logging hibernate errors (lack of unique index) (Issue NMS-16199)
-
Zookeeper 3.4.6 version mismatch in Meridian 2021 (Issue NMS-16209)
-
Cortex plugin does not start automatically (Issue NMS-16272)
-
GNMI OpenConfig Connector - TRANSIENT_FAILURE Issues - Unable to establish connection (Issue NMS-16277)
-
Minion java-opts not loading correctly (Issue NMS-16305)
-
use-address-from-varbind not honored via Minion (Issue NMS-16310)
-
Minion confd doesn’t fully disable ActiveMQ when using Kafka (Issue NMS-16311)
-
Unprivileged minion fails on livenessprobe (Issue NMS-16327)
-
Docs: Restore missing pages regarding setup of traps/syslog on Minions. (Issue NMS-16344)
-
Misspelled documentation for the OPENNMS_CASSANDRA_HOSTNAMES variable (Issue NMS-16346)
Task
-
Update gnmi groovy script to parse data properly (Issue NMS-16321)
Release Meridian-2023.1.12
Release 2023.1.12 contains documentation and logging updates, as well as some improvements to the Karaf CLI.
The codename for Meridian 2023.1.12 is Oscar the Grouch.
Release Meridian-2023.1.11
Release 2023.1.11 is a re-roll of 2023.1.10 with the addition of one fix related to the Metadata REST service.
The codename for Meridian 2023.1.11 is Pepe the King Prawn.
Due to the Karaf and Camel updates in 2023.1.10, it is recommended you give more rigor than usual to evaluating a point update. While we have not observed any issues with these version bumps, they touch a lot of the codebase and there is a higher-than-usual chance of something unexpectedly having issues on upgrade. |
Bug
-
Reinstate the Metadata REST endpoint (Issue NMS-16259)
Release Meridian-2023.1.10
Release 2023.1.10 contains a bunch of documentation updates, bug fixes, and some major security-focused upgrades including Karaf and Camel.
The codename for Meridian 2023.1.10 is Gonzo.
Due to the Karaf and Camel updates, it is recommended you give more rigor than usual to evaluating a point update. While we have not observed any issues with these version bumps, they touch a lot of the codebase and there is a higher-than-usual chance of something unexpectedly having issues on upgrade. |
Bug
-
Missing information in downtime model docs (Issue NMS-10133)
-
R-Core fails to install following the Horizon 30 Install Docs (Issue NMS-14777)
-
Surveillance Dashboard shows acknowledged Alarms (Issue NMS-15448)
-
Device config upload failed with org.apache.sshd.common.SshException: EdDSA provider not supported (Issue NMS-16131)
-
Data choices plugin throws a NPE when user clicks on show collected data. (Issue NMS-16151)
-
Users with ROLE_READONLY can add, modify, and delete alarm memos (Issue NMS-16162)
-
Docs: Meridian plugins reference wrong package names (Issue NMS-16164)
-
Service detail page displays wrong collectd package (Issue NMS-16167)
-
OpenConfig Connector parameter frequency in incorrect unit (Issue NMS-16253)
-
Container flag
-t
does not pass correct arguments (Issue NMS-16265)
Enhancement
-
Add confd support to Sentinel container (Issue NMS-16149)
-
Remove plugin 'opennms-cloud-plugin' from installation (Issue NMS-16219)
-
Update install script to clear Karaf cache (Issue NMS-16226)
-
Docs: Remove reference to 'opennms-cloud-plugin' plugin (Issue NMS-16231)
-
OpenShift: Document the impact of disabling allowPrivilegeEscalation (Issue NMS-16239)
-
Upgrade to latest Karaf 4.3 (Issue NMS-16249)
Release Meridian-2023.1.9
Release 2023.1.9 contains a bunch of security updates to Drools, Hibernate, Jetty, and more, plus a number of other bug fixes and a slew of documentation updates.
The codename for Meridian 2023.1.9 is The Swedish Chef.
The upgraded dependency on Jetty introduced stricter handling of jetty.xml validation.
If you have customized your jetty.xml in ${OPENNMS_HOME} then you may have to change id and refid attributes to be unique.
For an example of the changes, see the modifications we made to our default jetty.xml .
|
Enhancement
-
BMP docs could use some TLC (Issue NMS-13891)
-
Provisiond threads description discrepancies (Issue NMS-14766)
-
OpenShift: Documentation (Issue NMS-16108)
-
Backport Drools 8.x to foundation 2023 to address a couple of CVEs (Issue NMS-16179)
-
Integrate hibernate-core related patch from Debian (Issue NMS-16181)
-
Version bump of json for CVE-2023-5072 (Issue NMS-16191)
-
Version bump of jetty to 9.4.53 version (Issue NMS-16192)
-
Version bump of snappy java (Issue NMS-16194)
-
Docs: Remove deprecated resourcecli section (Issue NMS-16216)
Bug
-
Local Geo Map (using gwt.openlayers.url ) working in version 29.0.1 is not anymore in 31.0.3-1 (Issue NMS-15400)
-
Access Denied when deleting a node with admin user (Issue NMS-15746)
-
Map dashlet for Ops Boards references old map systems (Issue NMS-16044)
-
Reports → Chart page does not load graphs (Issue NMS-16085)
-
Event parameters with
<>
not rendering in event/alarm views (Issue NMS-16157) -
Add Basic Auth to OpenConfig gNMI for Call Credentials (Issue NMS-16158)
Release Meridian-2023.1.8
Release 2023.1.8 contains documentation updates as well as a number of bug fixes and enhancements including Sentinel fixes, improvements to running in containers, and some other small changes.
The codename for Meridian 2023.1.8 is Rizzo the Rat.
Bug
-
login.jsp page is still visible/accessible after being authenticated by pre-authentication (Issue NMS-14078)
-
Fix Event documentation formatting (Issue NMS-15603)
-
Sentinel depends on unpackaged /opt/sentinel/etc/datacollection-config.xml (Issue NMS-15695)
-
Container ignores environment variable OPENNMS_DATABASE_CONNECTION_MINPOOL or confd opennms/database/connection/minpool configuration (Issue NMS-16141)
-
Container’s java binary is missing cap_net_raw capability (Issue NMS-16145)
-
SENTINEL_HOME points to wrong location in fix-permissions (Issue NMS-16159)
Enhancement
-
Basic BMP Setup (Issue NMS-13893)
-
BMP set up with Minion (Issue NMS-13894)
-
BMP Setup with Sentinel (Issue NMS-13895)
-
Quick install script for first time evaluator and training (Issue NMS-14811)
-
Expand flow thresholding documentation (Issue NMS-15276)
-
Add link to configure SNMP Community strings from node admin page (Issue NMS-15772)
-
Metadata DSL: Add effective values of service parameters in Karaf poll command (Issue NMS-16119)
-
Add language to docs for how to find schema to Kafka Producer (Issue NMS-16133)
-
Remove availability monitor content from documentation (Issue NMS-16135)
-
Migrate Tl1 docs from wiki (Issue NMS-16150)
Release Meridian-2023.1.7
Release 2023.1.7 contains a bunch of documentation updates, as well as a number of bug fixes and enhancements including improvements to the Karaf core startup, polling and node search fixes, IPv6 support in ILR, and a fix for loading the Cortex timeseries plugin.
The codename for Meridian 2023.1.7 is Zoot.
Bug
-
Intermittent error starting Telemetryd: No adapter found for class: org.opennms.netmgt.telemetry.protocols.netflow.adapter.netflow5.Netflow5Adapter (Issue NMS-15345)
-
Polling fails when rrd-status is set to true (Issue NMS-15806)
-
Provisioning policies do not apply (Issue NMS-16031)
-
null value in column "eventlog" PSQLException (Issue NMS-16048)
-
Prevent Invalid Node Filter Search from revealing SQL query (Issue NMS-16057)
-
Cortex-tss-plugin 2.0.1 does not work on v32 (Issue NMS-16104)
-
Update Instrumentation Log Reader to parse IPv6 addresses (Issue NMS-16114)
Release Meridian-2023.1.6
Release 2023.1.6 contains several important security fixes, one fix for a potential DOS vulnerability, and a handful of general bugfixes and enhancements.
Thanks to the following researchers for responsibly disclosing security issues in this release:
-
Moshe Apelbaum reported issue NMS-15699.
-
Jordi Miralles reported issues NMS-15703, NMS-15782, and NMS-15783.
-
OSS Fuzz reported issue NMS-15877.
The codename for Meridian 2023.1.6 is Snuffleupagus.
Breaking changes
-
This release removes the "3d" variation from the JFreeChart integration, because that style has been removed upstream.
Bug
-
Document the function hiding Meta-Data values with keynames containing "password" or "secret" (Issue NMS-12808)
-
Prevent Angular evaluation of strings enclosed by two curly braces in non-Angular form-fields and output (Issue NMS-15504)
-
backport fixes from Spring Security 5.x to custom Spring Security 4.2.20.RELEASE (Issue NMS-15663)
-
XXE injection via /rtc/post using the default rtc credentials (Issue NMS-15699)
-
ROLE_REST can be used to escalate to ROLE_ADMIN via /rest/users (Issue NMS-15703)
-
Requisition multi-threaded import is not optimal (Issue NMS-15776)
-
Stored XSS in multiple JSP files in opennms/opennms (Issue NMS-15782)
-
Reflected XSS in multiple JSP files in opennms/opennms (Issue NMS-15783)
-
POSTINSTALL scriptlet may fail if data/tmp/ is present but empty (Issue NMS-15809)
-
Kafka Producer incapable of using SSL (Issue NMS-15859)
-
CVEs for postgresql JDBC driver 42.2.18 (Issue NMS-15861)
-
Corrected Keystore setup instructions for minion on docker (Issue NMS-16017)
-
OpenNMS Search Bar does not retrieve nodes without foreignsource and foreignid (Issue NMS-16030)
-
Error on startup with Invalid CEN header exception (Issue NMS-16034)
Enhancement
-
Improve Kafka section of message broker docs in the deployment section (Issue NMS-15632)
-
Disable BeanShell interpreter remote server mode (Issue NMS-15793)
-
Include Node metadata in Measurement API query responses even if no resource data exists (Issue NMS-15839)
-
Extend filter syntax to include isSnmpPrimary (Issue NMS-15842)
-
Add docs to describe the default RRD storage retention (Issue NMS-16033)
Release Meridian-2023.1.5
Release 2023.1.5 contains several security fixes, a generous helping of other bug fixes, documentation improvements, and several small enhancements intended to improve supportability.
The codename for Meridian 2023.1.5 is Bunsen Honeydew.
Thanks to Erik Wynter for reporting several of the security issues fixed in this release.
Bug
-
Inconsistent references to JMXCollect/Monitor for "password-clear"/"password_clear" (Issue NMS-14884)
-
Database threads stuck idle_in_transaction (Issue NMS-15108)
-
Use UNKNOWN direction when not set in Netflow 9 or IPFIX template (Issue NMS-15134)
-
When upgrading Minion from an older version on RHEL based systems, the service file doesn’t point to the main installation, but rather to /etc/init.d/minion which doesn’t exist (Issue NMS-15600)
-
When upgrading Sentinel from an older version, the service file doesn’t point to the main installation, but rather to /etc/init.d/sentinel which doesn’t exist (Issue NMS-15601)
-
Minion connectivity config docs start the user in the wrong directory (Issue NMS-15618)
-
Docs need an update on what a Minion is able to do (Issue NMS-15620)
-
ROLE_FILESYSTEM_EDITOR can be used to escalate to ROLE_ADMIN via /opennms/rest/filesystem/contents?f=users.xml (Issue NMS-15702)
-
Authenticated XXE injection via the file editor (Issue NMS-15704)
-
Various corrections/clarifications needed in Sentinel install/configure docs (Issue NMS-15708)
-
https redirection is partially broken (Issue NMS-15732)
-
Setting scan interval to -1 results in an error (Issue NMS-15768)
-
Docs need updating to include support for Kafka 3 (Issue NMS-15777)
-
Add /usr/lib64/jvm to find-java.sh search paths (Issue NMS-15784)
-
Memory leak when using Groovy scripts in provisiond ScriptPolicy (Issue NMS-15798)
-
Polling fails when rrd-status is set to true (Issue NMS-15806)
-
Database deadlock triggered by NodeRestService (Issue NMS-15816)
Release Meridian-2023.1.4
Release 2023.1.4 contains one CVE-related security fix, a generous helping of other bug fixes, and several small enhancements intended to improve supportability.
The codename for Meridian 2023.1.4 is Zoot.
Breaking changes
-
This release has moved to a newer major version of Spring Security to address a number of CVEs, which necessitated changes to the
$OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml
file, so if you have modified this file in your installs, be sure to note your changes so you can reapply them to the updated version. -
The script
$OPENNMS_HOME/bin/install
checked whether$myser
equals$RUNAS
before sourcing$OPENNMS_HOME/etc/opennms.conf
, which caused startup to fail every time unless the script were run as root; if you have patched that file on your system, watch out for a.rpmsave
or.dpkg-new
file.
Enhancement
-
Codify code copyright conventions and guidelines (Issue NMS-13908)
-
Add diagnostic commands to Karaf shell for various internal schedulers (Issue NMS-14526)
-
Node Properties REST endpoint doesn’t include asset location data (Issue NMS-14785)
-
Add a method for finding and clearing alarms by TTicketID to OPA’s AlarmDAO (Issue NMS-15439)
-
Upgrade Spring Security (Issue NMS-15506)
-
Simplify the installation docs (Issue NMS-15518)
-
Docs: Add info about XSLT to XmlCollector (Issue NMS-15693)
-
Doc: Update DNS provisioning import adapter docs (Issue NMS-15694)
Bug
-
Fixing typo for event uei.opennms.org/internal/schedOutagesChanged (Issue NMS-15421)
-
Sentinels need local copy of thresholding config. (Issue NMS-15422)
-
Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)
-
Backshift graph’s Data tab shows incorrect / phantom data when using STACK (Issue NMS-15495)
-
Status Overview box calculation included the alarms and outages from nodes outside of the assigned categories (Issue NMS-15526)
-
install script checks for equality of myuser and RUNAS before sourcing opennms.conf (Issue NMS-15610)
-
send-events-to-elasticsearch karaf command passes username/password in reverse (Issue NMS-15638)
-
SCV passwords visible unredacted in Karaf (Issue NMS-15640)
-
Meridian Minion 2023 and 2022 installation docs for RHEL 8/9 use the repo URL for 2021/rhel8 (Issue NMS-15665)
-
Doc: File name syslog-grok-patterns.txt is wrong (Issue NMS-15684)
-
Stop packaging activemq-web-console.war (Issue NMS-15686)
-
Database deadlock caused by JdbcFilterDao (Issue NMS-15696)
-
Karaf SSH locks up if connections are terminated improperly (Issue NMS-15714)
Release Meridian-2023.1.3
Relase 2023.1.3 contains four security vulnerability fixes and a generous helping of other bug fixes. It also updates the plugin host to the latest version, and includes a few small enhancements to the startup scripts and other components.
The codename for Meridian 2023.1.3 is Beaker.
Bug
-
POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)
-
Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)
-
Plaintext Password Present in the Web logs (Issue NMS-15305)
-
Stored XSS on Quick-Add Node (Issue NMS-15308)
-
Adding new thresholds to an existing group often throws an IndexOutOfBoundsException (Issue NMS-15334)
-
Geographical Map map search capability is not as described in the docs (Issue NMS-15426)
-
A small typo in plugin.sh prevents artifacts from GitHub to be included in containers (Issue NMS-15592)
-
Foundation-2020: Snmp4JValueFactory: getOctetString displayable should be true (Issue NMS-15599)
-
Syslog Northbounder maxMessageSize config option is not used (Issue NMS-15606)
-
Jetty CVE-2023-26048/CVE-2023-26049 (Issue NMS-15612)
-
Update to latest groovy 2.x (Issue NMS-15633)
-
$OPENNMS_HOME/etc/THIRD-PARTY.txt has gone missing with Horizon 31.0.6 and onwards (Issue NMS-15636)
-
SNMPv3 support for AES256 appears broken (Issue NMS-15637)
New Feature
-
Add a CLI mechanism to set the admin password (Issue NMS-15221)
Release Meridian-2023.1.2
Release 2023.1.2 contains a bunch of bug fixes, along with fixes for several security vulnerabilities.
The codename for Meridian 2023.1.2 is Count von Count.
Bug
-
DOC: Document Newts fetch step / heartbeat settings in opennms.properties (Issue NMS-10155)
-
Document the function hiding Meta-Data values with keynames containing "password" or "secret" (Issue NMS-12808)
-
Scriptd consumes CPU even when it does nothing (Issue NMS-13216)
-
dependabot: upgrade Apache POI to at least 4.1.1 (CVE-2019-12415) (Issue NMS-14589)
-
POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)
-
Multiple CVEs for cxf 3.2.8 (Issue NMS-15065)
-
The management of alarms (escalation, and acknowledge) on the new MAP UI does not work for user without ROLE_REST. (Issue NMS-15080)
-
Concurrent requests to rrd summary endpoint fails (Issue NMS-15086)
-
Statistics Reports → Export Excel fails with exception (Issue NMS-15148)
-
No health check for the OpenNMS Core container (Issue NMS-15291)
-
Missing Security Headers (Issue NMS-15302)
-
Stored XSS On-Call Roles (Issue NMS-15307)
-
Stored XSS on Quick-Add Node (Issue NMS-15308)
-
[Web] - Session Fixation/Misconfigured Session Cookie Implementation (Issue NMS-15310)
-
Inconsistent expectations on TimeseriesStorageManager.get() with null return values (Issue NMS-15323)
-
The various SNMP extenders to not work with ifIndex-indexed resources (Issue NMS-15342)
-
SNMP Interfaces Endpoint returns multiple values [duplicates] when there are multiple "IP Interfaces" pointing to same SNMP-IfIndex "ipAdEntIfIndex". (Issue NMS-15352)
-
Missing XML Validation in Apache Xerces2 (Issue NMS-15373)
-
Adding or editing a schedule outage doesn’t reload the configuration for Threshd (Issue NMS-15420)
-
M2022 Minions > 2022.1.8 Cannot use SCV credentials (Issue NMS-15450)
-
Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)
-
Minimum system requirements does not enumerate RHEL9 support (Issue NMS-15499)
-
Cortex plugin has no LICENSE.md (Issue NMS-15521)
-
upgrade Xalan to 2.7.3 (CVE-2022-34169) (Issue NMS-15578)
Story
-
Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)
Unexpected Behavior
-
Following cross-site links logs out current session (Issue NMS-15320)
Release Meridian-2023.1.1
Release 2023.1.1 is a bugfix release that also incorporates several documentation improvements, upgrades a couple of library dependencies, and improves how plugins are included in the container images.
The codename for Meridian 2023.1.1 is Cookie Monster.
Enhancement
-
Replace wiki links across all codebase (Issue NMS-13912)
-
dependabot: mockito 3.4.6 to 4.6.1 (Issue NMS-14586)
-
DOC: Timeseries Documentation (Issue NMS-14959)
-
DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)
-
Update dual write docs to clarify configuration (Issue NMS-15425)
-
PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)
Bug
-
Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)
-
Minion on Ubuntu fails to start (Issue NMS-15160)
-
Upgrade HikariCP to 5.x (Issue NMS-15171)
-
Docs: The "Housekeeping Tasks" page should not tell the user to always run fix-karaf-setup.sh on upgrade (Issue NMS-15296)
-
Elevation on Feather nav bar header casts undesirable shadow (Issue NMS-15367)
-
Docs: Update path reference for PostgreSQL config files (Issue NMS-15381)
-
opennms-karaf-health is not last in featuresBoot — might miss status for a few features (Issue NMS-15407)
-
Invalid syntax due to typo in provisiond snmp graph (Issue NMS-15434)
Task
-
Number examples in service monitor chapters (Issue NMS-15215)
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
-
Move the logic for downloading plugins into the Dockerfile (Issue NMS-15401)
-
Disable DEBs packages for Meridian 2023 (Issue NMS-15412)
Epic
-
Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)
Release Meridian-2023.1.0
Release 2023.1.0 is the first of the Meridian 2023 series, based on Horizon 31 and incorporating work done in that series and in Horizon 30.
This new major-version release introduces several breaking changes (see below).
Breaking Changes
-
The
GpDetector
andScriptPolicy
now require that their scripts be located beneath$OPENNMS_HOME
and beneath$OPENNMS_HOME/etc/script-policies
, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release. -
The OpenNMS Plugin API (OPA) has been updated to 1.3.0. OPA plugins intended to run in Meridian 2023.1.0 must implement version 1.0.0 or higher.
-
The
provisiond-configuration.xml
file has been replaced with a new implementation based on the new configuration management API, which resides outside the filesystem. See What’s New in Meridian 2023 for more information. -
Meridian Docker images are now based on a minimal install of Ubuntu, rather than CentOS. Symlinks are provided to match the old paths in /opt, but it’s possible you will run into subtle differences when transitioning.
-
The
org.opennms.netmgt.collectd.strictInterval
setting now defaults to true. See What’s New in Meridian 2023 for more information.
Known issues
The following known issues impact Meridian 2023.1.0; we expect all to be fixed in the next micro-version release:
-
Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding
ROLE_REST
to a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention. -
On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.
-
The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.
Shout-outs
-
Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.
-
Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.
-
Thanks to Ricardo Monteiro for bringing the geo-map alarms problem NMS-15080 to our attention.
The codename for Meridian 2023.1.0 is Kermit the Frog.
Enhancement
-
Remove image-related defaults from Docker container makefile (Issue NMS-13583)
-
Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)
-
Include Minion version on "Manage Minions" page (Issue NMS-14493)
-
Dependabot: leaflet from 1.7.1 to 1.8.0 (Issue NMS-14584)
-
Error compiling Cisco MIB (Issue NMS-14640)
-
Make the cloud connect plugin available in container images (Issue NMS-15012)
-
Data collection and graph definitions for provisiond performance (Issue NMS-15018)
-
Update docs to include RHEL 9 install instructions (Issue NMS-15147)
-
Test and Document Support for PostgreSQL 15 (Issue NMS-15151)
-
Make the ALEC plugin available in container images (Issue NMS-15349)
-
Make the Cortex TSS plugin available in container images (Issue NMS-15350)
-
Smoke test improvements and small tweaks to help developers (Issue NMS-15387)
Task
-
Geo Map: Add content to the map marker pop up (Issue NMS-13698)
-
Uncontrolled Resource Consumption in Jackson-databind (Issue NMS-15030)
-
CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)
-
CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)
-
Vulnerable JUnit dependency (Issue NMS-15074)
-
RHEL9 installation documentation tab (Issue NMS-15079)
-
Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)
-
Add flow version table to Flow Introduction (Issue NMS-15158)
-
Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)
-
Change OpenNMS Copyright from 2022 to 2023 in the documentation footer (Issue NMS-15212)
-
JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)
-
JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)
-
JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
-
Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)
-
Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)
-
Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)
Bug
-
Missing /run/opennms on Ubuntu (Issue NMS-14650)
-
RRD persistence with default configs in our Horizon OCI points to wrong libjrrd2.so (Issue NMS-14778)
-
Chrome/Edge Web Browser : Geographical Map Node Counters are wrong (Issue NMS-14792)
-
OpenNMS opennms start fails on Ubuntu (Issue NMS-14838)
-
Multiple stored and reflected XSS in webapp (Issue NMS-14854)
-
horizon.oci contains more than one container image (Issue NMS-14896)
-
Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)
-
Form Resubmission From Cache (Issue NMS-14933)
-
XML Entity Expansion Injection in geolocation API (Issue NMS-14988)
-
Remove reference to remote pollers (Issue NMS-15017)
-
RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)
-
Default limit of 10 is not working for event queries (Issue NMS-15123)
-
Flows adapters don’t start on Sentinel running as a container. (Issue NMS-15161)
-
Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)
-
CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)
-
CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)
-
CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)
-
CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)
-
CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)
-
CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)
-
CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)
-
CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)
-
CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)
-
CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)
-
CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)
-
CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)
-
CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)
-
CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)
-
CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)
-
Update docs TOC to include missing notification commands file (Issue NMS-15266)
-
Meridian 2023 old UI pages have Horizon Logo (Issue NMS-15281)
-
NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)
-
Poor contrast in navigation menu of OG UI (Issue NMS-15283)
-
Styling of Feather / Vue UI in Meridian does not match OG UI (Issue NMS-15284)
-
Stealing Cookies using Reflected XSS via graph results (Issue NMS-15292)
-
Sanitize request parameters in outage/list.htm (Issue NMS-15294)
-
Plaintext Password Present in the Web logs (Issue NMS-15305)
-
Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)
-
RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)
-
Dead transaction in flow thresholding on sentinel (Issue NMS-15340)
-
Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)
-
When we fail to start up, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)
-
ALEC plugin dependency update (Issue NMS-15391)
Story
-
Revive PoweredBy section in new docs (Issue NMS-14703)
-
Modify foreign source in HeartbeatConsumer to ignore docker interfaces and detect SNMP agent (Issue NMS-14855)
-
SNMP Community retrieval through SCV on Minion (Issue NMS-15008)
-
Add JSON support (in additional to GBP) to the Kafka producer for flows (Issue NMS-15027)
-
Backport deploy-base update from develop to release-31.x (upgrades JRE minor version, adds vim-tiny, less) (Issue NMS-15046)
-
Add KPI for Appliance count by model (Issue NMS-15051)
-
Velocloud plugin 1.0 is compatible with Meridian 2023 (Issue NMS-15138)
-
ALEC 3.0 is compatible with Meridian 2023 (Issue NMS-15139)
-
Cortex TSS plugin 2.0.1 is compatible with Meridian 2023 (Issue NMS-15140)
-
Cloud services connector plugin is compatible with Meridian 2023 (Issue NMS-15141)
-
Geo Map node groups should split into individual markers (Issue NMS-15150)
-
Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)
-
Accessibility testing for rebranded Meridian 2023 UI (Issue NMS-15224)
-
Penetration testing for Meridian 2023 (Issue NMS-15225)
-
Meridian container images are signed (Issue NMS-15341)