From 1632dd5362fc0019c1f9902ca2fa7fe3f210fb56 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 21 Jan 2025 18:18:40 +0100 Subject: [PATCH 1/5] Icinga 2.14.4 --- CHANGELOG.md | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62a295194..aeec785dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,70 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). +## 2.14.4 (2025-01-23) + +This bugfix release is focused on improving HA cluster stability and easing +troubleshooting of issues in this area. It also addresses several crashes, +in the core itself and both in Icinga DB and IDO (numbers out of range). +In addition, it fixes several other issues such as lost notifications +or TimePeriod/ScheduledDowntime exceeding specified date ranges. + +### Crash Fixes + +* Invalid `DateTime#format()` arguments in config and console on Windows Server 2016 and older. #10112 +* Downtime scheduling at runtime with non-existent trigger. #10049 +* Object creation at runtime during Icinga DB initialization. #10151 +* Comment on a service of a non-existent host. #9861 + +### Miscellaneous Bugfixes + +* Lost notifications after recovery outside the notification time period. #10187 +* TimePeriod/ScheduledDowntime exceeding specified date range. #9983 #10107 +* Clean up failure for obsolete Downtimes. #10062 +* ifw-api check command: use correct process-finished handler. #10140 +* Email notification scripts: strip 0x0D (CR) for a proper Content-Type. #10061 +* Several fixes and improvements of the code quality. #10066 #10214 #10254 #10263 #10264 + +### Cluster and API + +* Sync runtime objects in topological order to honor their dependencies. #10000 +* Make parallel config syncs more robust. #10013 +* After object creation via API fails, clean up properly for the next try. #10111 +* Close HTTPS connections properly to prevent leaks. #10005 #10006 +* Reduce the number of cluster messages in memory at the same time. #9991 #9999 #10210 +* Once a cluster connection shall be closed, stop communicating. #10213 #10221 +* Remove unnecessary blocking of semaphores. #9992 #9994 +* Reduce unnecessary cluster messages setting the next check time. #10011 + +### Icinga DB and IDO + +* IDO: fix object relations after aborted synchronization. #10065 +* Icinga DB, IDO: limit all timestamps to four year digits. #10058 #10059 +* Icinga DB: limit execution\_time and latency (milliseconds) to database schema. #10060 + +### Troubleshooting + +* Add `/v1/debug/malloc_info` which calls `malloc_info(3)` if available. #10015 +* Add log messages about own network I/O. #9993 #10141 #10207 +* Several fixes and improvements of log messages. #9997 #10021 #10209 + +### Windows + +* Update OpenSSL shipped on Windows to v3.0.15. #10170 +* Update Boost shipped on Windows to v1.86. #10114 +* Support CMake v3.29. #10037 +* Don't require to build .msi as admin. #10137 +* Build configuration scripts: allow custom `$CMAKE_ARGS`. #10312 + +### Documentation + +* Distributed Monitoring: add section "External CA/PKI". #9825 +* Explain how to enable/disable debug logging on the fly. #9981 +* Update supported OS versions and repository configuration. #10064 #10090 #10120 #10135 #10136 #10205 +* Several fixes and improvements. #9960 #10050 #10071 #10156 #10194 +* Replace broken links. #10115 #10118 #10282 +* Fix typographical and similarly trivial errors. #9953 #9967 #10056 #10116 #10152 #10153 #10204 + ## 2.14.3 (2024-11-12) This security release fixes a TLS certificate validation bypass. From 8c7ed2facac05f859c0e1c2f5a7bf985a9a606a2 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 4 Feb 2025 15:28:41 +0100 Subject: [PATCH 2/5] Release v2.14.5 --- CHANGELOG.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index aeec785dd..588c596db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,26 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). +## 2.14.5 (2025-02-06) + +This release fixes a regression introduced in 2.14.4 that caused the `icinga2 node setup`, +`icinga2 node wizard`, and `icinga2 pki request` commands to fail if a certificate was +requested from a node that has to forward the request to another node for signing. +Additionally, it fixes a small bug in the performance data normalization and includes +various documentation improvements. + +### Bug Fixes + +* Don't close anonymous connections before sending the response for a certificate request #10337 +* Performance data: Don't discard min/max values even if crit/warn thresholds aren’t given #10339 + +### Documentation + +* Document the -X option for the mail-host-notification and mail-service-notification commands #10335 +* Include Nagios in the migration docs #10324 +* Remove RHEL 7 from installation instructions #10334 +* Add instructions for installing build dependencies on Windows Server #10336 + ## 2.14.4 (2025-01-23) This bugfix release is focused on improving HA cluster stability and easing From 404136141b562dce2fa3a3927c33fb26074ccf60 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 20 May 2025 16:45:41 +0200 Subject: [PATCH 3/5] Icinga 2.14.6 --- CHANGELOG.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 588c596db..373f60241 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,19 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). +## 2.14.6 (2025-05-27) + +This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which +might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA +private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this +typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2. + +* CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0. +* Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same + function which is fixed as well, but in case it is triggered, typically only a wrong error code + may be shown in a log message. +* Windows: Update OpenSSL shipped on Windows to v3.0.16. + ## 2.14.5 (2025-02-06) This release fixes a regression introduced in 2.14.4 that caused the `icinga2 node setup`, From 2e640bc7e23fc648cce834b539cfc039cbf06eb1 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 20 May 2025 16:45:41 +0200 Subject: [PATCH 4/5] Icinga 2.13.12 --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 373f60241..1b115cbb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -340,6 +340,20 @@ Add `linux_netdev` check command. #9045 * Several code quality improvements. #8815 #9106 #9250 #9508 #9517 #9537 #9594 #9605 #9606 #9641 #9658 #9702 #9717 #9738 +## 2.13.12 (2025-05-27) + +This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which +might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA +private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this +typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2. + +* CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0. +* Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same + function which is fixed as well, but in case it is triggered, typically only a wrong error code + may be shown in a log message. +* Windows: Update OpenSSL shipped on Windows to v3.0.16. +* Fix a failing test case on systems `time_t` is only 32 bits #10344. + ## 2.13.11 (2025-01-23) This bugfix release addresses several crashes, From da89233dbef8efaf68ed463f4c398ba791967103 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Wed, 5 Feb 2025 13:15:10 +0100 Subject: [PATCH 5/5] Mention #10343 in changelog for 2.14.5 The problem was only noticed after the changelog already got merged, hence this has to be added retroactively. --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b115cbb2..94c553cf5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,7 @@ various documentation improvements. * Don't close anonymous connections before sending the response for a certificate request #10337 * Performance data: Don't discard min/max values even if crit/warn thresholds aren’t given #10339 +* Fix a failing test case on systems `time_t` is only 32 bits #10343 ### Documentation