From 909dcc4a4d23bdec0f0d1792b3761d49531115dc Mon Sep 17 00:00:00 2001 From: Noah Hilverling Date: Thu, 4 Mar 2021 17:02:43 +0000 Subject: [PATCH] CHANGELOG.md: add v2.11.8 --- CHANGELOG.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17420fabf..0f5f2f4a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -227,6 +227,37 @@ Thanks to all contributors: * Code quality fixes * Small documentation fixes +## 2.11.8 (2020-12-15) + +Version 2.11.8 resolves a security vulnerability with revoked certificates being +renewed automatically ignoring the CRL. + +This version also resolves issues with high load on Windows regarding the config sync +and not being able to disable/enable Icinga 2 features over the API. + +### Security + +* Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (CVE-2020-29663) + +When a CRL is specified in the ApiListener configuration, Icinga 2 only used it +when connections were established so far, but not when a certificate is requested. +This allows a node to automatically renew a revoked certificate if it meets the +other conditions for auto renewal (issued before 2017 or expires in less than 30 days). + +Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years, +this only affects setups with external certificate signing and revoked certificates +that expire in less then 30 days. + +### Bugfixes + +* Improve config sync locking - resolves high load issues on Windows #8510 +* Fix runtime config updates being ignored for objects without zone #8550 +* Use proper buffer size for OpenSSL error messages #8543 + +### Enhancements + +* On checkable recovery: re-check children that have a problem #8560 + ## 2.11.7 (2020-12-01) Version 2.11.7 fixes several issues to improve the reliability of the cluster functionality.