Changelog

Upgrade ActiveMQ to 5.15 (Issue NMS-12089)

Add documentation for using Scheduled Outages (Issue NMS-12621)

Meridian 2023 Testing (Issue NMS-15152)

Replace wiki links across all codebase (Issue NMS-13912)

dependabot: mockito 3.4.6 to 4.6.1 (Issue NMS-14586)

DOC: Timeseries Documentation (Issue NMS-14959)

DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)

Update dual write docs to clarify configuration (Issue NMS-15425)

PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)

Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)

Minion on Ubuntu fails to start (Issue NMS-15160)

Upgrade HikariCP to 5.x (Issue NMS-15171)

Docs: The "Housekeeping Tasks" page should not tell the user to always run fix-karaf-setup.sh on upgrade (Issue NMS-15296)

Elevation on Feather nav bar header casts undesirable shadow (Issue NMS-15367)

Docs: Update path reference for PostgreSQL config files (Issue NMS-15381)

opennms-karaf-health is not last in featuresBoot — might miss status for a few features (Issue NMS-15407)

Invalid syntax due to typo in provisiond snmp graph (Issue NMS-15434)

Number examples in service monitor chapters (Issue NMS-15215)

Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

Move the logic for downloading plugins into the Dockerfile (Issue NMS-15401)

Disable DEBs packages for Meridian 2023 (Issue NMS-15412)

Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)

The GpDetector and ScriptPolicy now require that their scripts be located beneath $OPENNMS_HOME and beneath $OPENNMS_HOME/etc/script-policies, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.

The OpenNMS Plugin API (OPA) has been updated to 1.3.0. OPA plugins intended to run in Meridian 2023.1.0 must implement version 1.0.0 or higher.

The provisiond-configuration.xml file has been replaced with a new implementation based on the new configuration management API, which resides outside the filesystem. See What’s New in Meridian 2023 for more information.

Meridian Docker images are now based on a minimal install of Ubuntu, rather than CentOS. Symlinks are provided to match the old paths in /opt, but it’s possible you will run into subtle differences when transitioning.

The org.opennms.netmgt.collectd.strictInterval setting now defaults to true. See What’s New in Meridian 2023 for more information.

Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding ROLE_REST to a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention.

On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.

The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.

Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.

Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.

Thanks to Ricardo Monteiro for bringing the geo-map alarms problem NMS-15080 to our attention.

Remove image-related defaults from Docker container makefile (Issue NMS-13583)

Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)

Include Minion version on "Manage Minions" page (Issue NMS-14493)

Dependabot: leaflet from 1.7.1 to 1.8.0 (Issue NMS-14584)

Error compiling Cisco MIB (Issue NMS-14640)

Make the cloud connect plugin available in container images (Issue NMS-15012)

Data collection and graph definitions for provisiond performance (Issue NMS-15018)

Update docs to include RHEL 9 install instructions (Issue NMS-15147)

Test and Document Support for PostgreSQL 15 (Issue NMS-15151)

Make the ALEC plugin available in container images (Issue NMS-15349)

Make the Cortex TSS plugin available in container images (Issue NMS-15350)

Smoke test improvements and small tweaks to help developers (Issue NMS-15387)

Geo Map: Add content to the map marker pop up (Issue NMS-13698)

Uncontrolled Resource Consumption in Jackson-databind (Issue NMS-15030)

CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)

CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)

Vulnerable JUnit dependency (Issue NMS-15074)

RHEL9 installation documentation tab (Issue NMS-15079)

Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)

Add flow version table to Flow Introduction (Issue NMS-15158)

Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)

Change OpenNMS Copyright from 2022 to 2023 in the documentation footer (Issue NMS-15212)

JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)

JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)

JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)

Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)

Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)

Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)

RPM packages fail to install when FIPS Enabled (Issue NMS-14628)

Link on Netflow9 to main Netflow doc is broken (Issue NMS-15144)

Missing /run/opennms on Ubuntu (Issue NMS-14650)

RRD persistence with default configs in our Horizon OCI points to wrong libjrrd2.so (Issue NMS-14778)

Chrome/Edge Web Browser : Geographical Map Node Counters are wrong (Issue NMS-14792)

OpenNMS opennms start fails on Ubuntu (Issue NMS-14838)

Multiple stored and reflected XSS in webapp (Issue NMS-14854)

horizon.oci contains more than one container image (Issue NMS-14896)

Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)

Form Resubmission From Cache (Issue NMS-14933)

XML Entity Expansion Injection in geolocation API (Issue NMS-14988)

Remove reference to remote pollers (Issue NMS-15017)

RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)

Default limit of 10 is not working for event queries (Issue NMS-15123)

Flows adapters don’t start on Sentinel running as a container. (Issue NMS-15161)

Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)

CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)

CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)

CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)

CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)

CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)

CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)

CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)

CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)

CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)

CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)

CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)

CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)

CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)

CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)

CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)

Update docs TOC to include missing notification commands file (Issue NMS-15266)

Meridian 2023 old UI pages have Horizon Logo (Issue NMS-15281)

NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)

Poor contrast in navigation menu of OG UI (Issue NMS-15283)

Styling of Feather / Vue UI in Meridian does not match OG UI (Issue NMS-15284)

Stealing Cookies using Reflected XSS via graph results (Issue NMS-15292)

Sanitize request parameters in outage/list.htm (Issue NMS-15294)

Plaintext Password Present in the Web logs (Issue NMS-15305)

Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)

RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)

Dead transaction in flow thresholding on sentinel (Issue NMS-15340)

Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)

When we fail to start up, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)

ALEC plugin dependency update (Issue NMS-15391)

Revive PoweredBy section in new docs (Issue NMS-14703)

Modify foreign source in HeartbeatConsumer to ignore docker interfaces and detect SNMP agent (Issue NMS-14855)

SNMP Community retrieval through SCV on Minion (Issue NMS-15008)

Add JSON support (in additional to GBP) to the Kafka producer for flows (Issue NMS-15027)

Backport deploy-base update from develop to release-31.x (upgrades JRE minor version, adds vim-tiny, less) (Issue NMS-15046)

Add KPI for Appliance count by model (Issue NMS-15051)

Velocloud plugin 1.0 is compatible with Meridian 2023 (Issue NMS-15138)

ALEC 3.0 is compatible with Meridian 2023 (Issue NMS-15139)

Cortex TSS plugin 2.0.1 is compatible with Meridian 2023 (Issue NMS-15140)

Cloud services connector plugin is compatible with Meridian 2023 (Issue NMS-15141)

Geo Map node groups should split into individual markers (Issue NMS-15150)

Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)

Accessibility testing for rebranded Meridian 2023 UI (Issue NMS-15224)

Penetration testing for Meridian 2023 (Issue NMS-15225)

Meridian container images are signed (Issue NMS-15341)

Publish container images to a container registry other than DockerHub (Issue NMS-15091)

Meridian 2023 release testing (Issue NMS-15137)

Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)

Installation of Meridian Minion, Sentinel, Core and Node. (Issue NMS-15388)

Minion routes traffic to Core. (Issue NMS-15389)

Sentinel offloads flows from Core. (Issue NMS-15405)