Merge pull request #8663 from Icinga/probot/sync-changelog/d8c01f4a7ab56dff0fbfd392cd2ca7c9c63b49c8

CHANGELOG.md: add v2.11.8
2021-03-04 18:03:45 +01:00 · 2021-03-04 18:03:45 +01:00 · c2be914e21
parent d8c01f4a7a 909dcc4a4d
commit c2be914e21
1 changed files with 31 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -227,6 +227,37 @@ Thanks to all contributors:
  * Code quality fixes
  * Small documentation fixes

+## 2.11.8 (2020-12-15)
+
+Version 2.11.8 resolves a security vulnerability with revoked certificates being
+renewed automatically ignoring the CRL.
+
+This version also resolves issues with high load on Windows regarding the config sync
+and not being able to disable/enable Icinga 2 features over the API.
+
+### Security
+
+* Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (CVE-2020-29663)
+
+When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
+when connections were established so far, but not when a certificate is requested.
+This allows a node to automatically renew a revoked certificate if it meets the
+other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
+
+Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
+this only affects setups with external certificate signing and revoked certificates
+that expire in less then 30 days.
+
+### Bugfixes
+
+* Improve config sync locking - resolves high load issues on Windows #8510
+* Fix runtime config updates being ignored for objects without zone #8550
+* Use proper buffer size for OpenSSL error messages #8543
+
+### Enhancements
+
+* On checkable recovery: re-check children that have a problem #8560 
+
 ## 2.11.7 (2020-12-01)

 Version 2.11.7 fixes several issues to improve the reliability of the cluster functionality.