From b5b83fa51564662ff2e78d7529ff77e1085d4522 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Thu, 1 Jul 2021 17:25:41 +0200 Subject: [PATCH 1/2] API: hide ApiListener#ticket_salt --- lib/remote/apilistener.ti | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/remote/apilistener.ti b/lib/remote/apilistener.ti index 671618213..734c92fe3 100644 --- a/lib/remote/apilistener.ti +++ b/lib/remote/apilistener.ti @@ -47,7 +47,7 @@ class ApiListener : ConfigObject default {{{ return 15.0; }}} }; - [config] String ticket_salt; + [config, no_user_view, no_user_modify] String ticket_salt; [config] Array::Ptr access_control_allow_origin; [config, deprecated] bool access_control_allow_credentials; From ce26bf9a4c31e1085110dd9362947817baff8791 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Fri, 9 Jul 2021 16:15:24 +0200 Subject: [PATCH 2/2] Icinga 2.12.5 --- CHANGELOG.md | 35 +++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f3107f95..d8d6f0139 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,41 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). +## 2.12.5 (2021-07-15) + +Version 2.12.5 fixes two security vulnerabilities that may lead to privilege +escalation for authenticated API users. Other improvements include several +bugfixes related to downtimes, downtime notifications, and more reliable +connection handling. + +### Security + +* Don't expose the PKI ticket salt via the API. This may lead to privilege + escalation for authenticated API users by them being able to request + certificates for other identities (CVE-2021-32739) +* Don't expose IdoMysqlConnection, IdoPgsqlConnection, IcingaDB, and + ElasticsearchWriter passwords via the API (CVE-2021-32743) +* Windows: Update bundled OpenSSL to version 1.1.1k #8885 + +Depending on your setup, manual intervention beyond installing the new versions +may be required, so please read the more detailed information in the +[release blog post](https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/) +carefully. + +### Bugfixes + +* Don't send downtime end notification if downtime hasn't started #8877 +* Don't let a failed downtime creation block the others #8863 +* Support downtimes and comments for checkables with long names #8864 +* Trigger fixed downtimes immediately if the current time matches + (instead of waiting for the timer) #8889 +* Add configurable timeout for full connection handshake #8866 + +### Enhancements + +* Replace existing downtimes on ScheduledDowntime change #8879 +* Improve crashlog #8865 + ## 2.12.4 (2021-05-27) Version 2.12.4 is a maintenance release that fixes some crashes, improves error handling diff --git a/VERSION b/VERSION index fc8802e76..b961d2f9f 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -Version: 2.12.4 +Version: 2.12.5 Revision: 1