Icinga 2.14.6

2025-07-27 07:34:15 +02:00 · 2025-05-20 16:45:41 +02:00 · 2025-05-20 16:45:41 +02:00 · 404136141b
commit 404136141b
parent 8c7ed2faca
1 changed files with 13 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,19 @@ documentation before upgrading to a new release.

 Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).

+## 2.14.6 (2025-05-27)
+
+This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which
+might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA
+private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this
+typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2.
+
+* CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
+* Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same
+  function which is fixed as well, but in case it is triggered, typically only a wrong error code
+  may be shown in a log message.
+* Windows: Update OpenSSL shipped on Windows to v3.0.16.
+
 ## 2.14.5 (2025-02-06)

 This release fixes a regression introduced in 2.14.4 that caused the `icinga2 node setup`,