Merge branch 'release/v2.9.6'

2022-03-08 15:12:59 +01:00 · 2022-03-08 15:12:59 +01:00 · 88294549ba
parent e815ff0309 f21200f167
commit 88294549ba
9 changed files with 22 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,20 @@ Please make sure to always read our [Upgrading](doc/80-Upgrading.md) documentati

 ## What's New

+### What's New in Version 2.9.6
+
+**Notice**: This is a security release. It is recommended to upgrade immediately.
+
+#### Security Fixes
+
+This release includes three security related fixes. The first is a path traversal issue that affects installations
+of v2.9.0 and above. Another one allows admins to run arbitrary PHP code just by accessing the UI. The last one may
+disclose unwanted details to restricted users. Please check the advisories on GitHub for more details.
+
+* Path traversal in static library file requests for unauthenticated users [GHSA-5p3f-rh28-8frw](https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw)
+* SSH resources allow arbitrary code execution for authenticated users [GHSA-v9mv-h52f-7g63](https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63)
+* Unwanted disclosure of hosts and related data, linked to decommissioned services [GHSA-qcmg-vr56-x9wf](https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf)
+
 ### What's New in Version 2.9.5

 This is a hotfix release which fixes the following issues:
--- a/2
+++ b/2
@ -1 +1 @@
-v2.9.5
+v2.9.6
--- a/library/Icinga/Application/Version.php
+++ b/library/Icinga/Application/Version.php
@ -8,7 +8,7 @@ namespace Icinga\Application;
 */
 class Version
 {
-    const VERSION = '2.9.5';
+    const VERSION = '2.9.6';

    /**
     * Get the version of this instance of Icinga Web 2
--- a/modules/doc/module.info
+++ b/modules/doc/module.info
@ -1,4 +1,4 @@
 Module: doc
-Version: 2.9.5
+Version: 2.9.6
 Description: Documentation module
 Extracts, shows and exports documentation for Icinga Web 2 and its modules.
--- a/modules/migrate/module.info
+++ b/modules/migrate/module.info
@ -1,5 +1,5 @@
 Module: migrate
-Version: 2.9.5
+Version: 2.9.6
 Description: Migrate module
 This module was introduced with the domain-aware authentication feature in version 2.5.0.
 It helps you migrating users and user configurations according to a given domain.
--- a/modules/monitoring/module.info
+++ b/modules/monitoring/module.info
@ -1,5 +1,5 @@
 Module: monitoring
-Version: 2.9.5
+Version: 2.9.6
 Description: Icinga monitoring module
 IDO accessor and UI for your monitoring. This is the initial instalment for a
 graphical presentation of Icinga environments. The predecessor of Icinga DB.
--- a/modules/setup/module.info
+++ b/modules/setup/module.info
@ -1,5 +1,5 @@
 Module: setup
-Version: 2.9.5
+Version: 2.9.6
 Description: Setup module
 Web based wizard for setting up Icinga Web 2 and its modules.
 This includes the data backends (e.g. relational database, LDAP),
--- a/modules/test/module.info
+++ b/modules/test/module.info
@ -1,5 +1,5 @@
 Module: test
-Version: 2.9.5
+Version: 2.9.6
 Description: Translation module
 This module allows developers to run (unit) tests against Icinga Web 2 and
 any of its modules. Usually you do not need to enable this.
--- a/modules/translation/module.info
+++ b/modules/translation/module.info
@ -1,5 +1,5 @@
 Module: translation
-Version: 2.9.5
+Version: 2.9.6
 Description: Translation module
 This module allows developers and translators to translate modules for multiple
 languages. You do not need this module to run an internationalized web frontend.