From 221417d2e0615b18fb046408031c1371c72f9430 Mon Sep 17 00:00:00 2001
From: Noah Hilverling <noah.hilverling@icinga.com>
Date: Tue, 15 Dec 2020 10:12:31 +0100
Subject: [PATCH] Add security fix to CHANGELOG

---
 CHANGELOG.md | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 724d320d9..726d50ba3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,9 +9,25 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 
 ## 2.11.8 (2020-12-15)
 
-Version 2.11.8 mainly focuses on resolving issues with high load on Windows regarding the config sync
+Version 2.11.8 resolves a security vulnerability with revoked certificates being
+renewed automatically ignoring the CRL.
+
+This version also resolves issues with high load on Windows regarding the config sync
 and not being able to disable/enable Icinga 2 features over the API.
 
+### Security
+
+* Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (CVE-2020-29663)
+
+When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
+when connections were established so far, but not when a certificate is requested.
+This allows a node to automatically renew a revoked certificate if it meets the
+other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
+
+Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
+this only affects setups with external certificate signing and revoked certificates
+that expire in less then 30 days.
+
 ### Bugfixes
 
 * Improve config sync locking - resolves high load issues on Windows #8510