From a0ec7f6b2fc7d4caa050f7e353e4f53f1bc140b7 Mon Sep 17 00:00:00 2001
From: Julian Brost <julian.brost@icinga.com>
Date: Tue, 20 May 2025 16:45:41 +0200
Subject: [PATCH] Icinga 2.12.12

---
 CHANGELOG.md    | 15 +++++++++++++++
 ICINGA2_VERSION |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ce065acac..8f6aa8bca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,21 @@ documentation before upgrading to a new release.
 
 Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).
 
+## 2.12.12 (2025-05-27)
+
+This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which
+might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA
+private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this
+typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2.
+
+* CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
+* Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same
+  function which is fixed as well, but in case it is triggered, typically only a wrong error code
+  may be shown in a log message.
+* Windows: Update OpenSSL shipped on Windows to v3.0.16. #10455
+* Windows: Fix unknown ctest(1) `--log_level` argument. #10453
+* Don't require to build .msi as admin. #10454
+
 ## 2.12.11 (2024-11-12)
 
 This security release fixes a TLS certificate validation bypass.
diff --git a/ICINGA2_VERSION b/ICINGA2_VERSION
index 0f1722dc5..b00afa264 100644
--- a/ICINGA2_VERSION
+++ b/ICINGA2_VERSION
@@ -1,2 +1,2 @@
-Version: 2.12.11
+Version: 2.12.12
 Revision: 1