tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-26 15:14:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-98wp-jc6q-x5q5

Browse Source 
API: hide ApiListener#ticket_salt (2.11)
This commit is contained in:
Julian Brost 2021-07-15 11:13:35 +02:00 committed by GitHub
commit 236e10d7b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CHANGELOG.md
View File

@ -7,6 +7,41 @@ documentation before upgrading to a new release.
Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).
## 2.11.10 (2021-07-15)
Version 2.11.10 fixes two security vulnerabilities that may lead to privilege
escalation for authenticated API users. Other improvements include several
bugfixes related to downtimes, downtime notifications, and more reliable
connection handling.
### Security
* Don't expose the PKI ticket salt via the API. This may lead to privilege
escalation for authenticated API users by them being able to request
certificates for other identities (CVE-2021-32739)
* Don't expose IdoMysqlConnection, IdoPgsqlConnection, and ElasticsearchWriter
passwords via the API (CVE-2021-32743)
* Windows: Update bundled OpenSSL to version 1.1.1k #8888
Depending on your setup, manual intervention beyond installing the new versions
may be required, so please read the more detailed information in the
[release blog post](https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/)
carefully.
### Bugfixes
* Don't send downtime end notification if downtime hasn't started #8878
* Don't let a failed downtime creation block the others #8871
* Support downtimes and comments for checkables with long names #8870
* Trigger fixed downtimes immediately if the current time matches
(instead of waiting for the timer) #8891
* Add configurable timeout for full connection handshake #8872
### Enhancements
* Replace existing downtimes on ScheduledDowntime change #8880
* Improve crashlog #8869
## 2.11.9 (2021-05-27) ## 2.11.9 (2021-05-27)
Version 2.11.9 is a maintenance release that fixes some crashes, improves error handling Version 2.11.9 is a maintenance release that fixes some crashes, improves error handling

2
VERSION
View File

@ -1,2 +1,2 @@
Version: 2.11.9 Version: 2.11.10
Revision: 1 Revision: 1

2
lib/remote/apilistener.ti
View File

@ -47,7 +47,7 @@ class ApiListener : ConfigObject
default {{{ return 15.0; }}} default {{{ return 15.0; }}}
}; };
[config] String ticket_salt; [config, no_user_view, no_user_modify] String ticket_salt;
[config] Array::Ptr access_control_allow_origin; [config] Array::Ptr access_control_allow_origin;
[config, deprecated] bool access_control_allow_credentials; [config, deprecated] bool access_control_allow_credentials;