diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c1a26791..b2033b774 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,34 @@ Please make sure to always read our [Upgrading](doc/80-Upgrading.md) documentati ## What's New +### What's New in Version 2.11.5 + +**Notice:** This is a security release. It is recommended to upgrade _immediately_. + +### Vulnerabilities, Closed + +Cross site scripting is one of the worst attacks on web based platforms. Especially, if carrying it out is as easy as +the first two mentioned here. You might recognize the open redirect on the login. You are correct, we attempted to fix +it already with v2.11.3 but underestimated PHP's quirks. The last is difficult to exploit, hence the lowest severity +of all, but don't be fooled by that! + +* XSS in embedded content [CVE-2025-27405](https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w) +* DOM-based XSS [CVE-2025-27404](https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66) +* Open redirect on login page [CVE-2025-30164](https://github.com/Icinga/icingaweb2/security/advisories/GHSA-8r73-6686-wv8q) +* Reflected XSS [CVE-2025-27609](https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38) + +Big thanks to all finders / reporters! :+1: + +### Bugs, Exterminated + +Did you know, that we started [Icinga Notifications](https://icinga.com/docs/icinga-notifications/latest/) with support +for PostgreSQL first? Reason for that is, we wanted to make sure we are fully compatible with it right away. To ensure +things like logging in with a PostgreSQL authentication/group backend is case-insensitive, like it was always the case +for MySQL. Now it **really** is case-insensitive! + +* Login against Postgres DB is case-sensitive [#5223](https://github.com/Icinga/icingaweb2/issues/5223) +* Role list has no functioning quick search [#5300](https://github.com/Icinga/icingaweb2/issues/5300) + ### What's New in Version 2.11.4 You can find all issues related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone/78?closed=1). diff --git a/VERSION b/VERSION index a63479186..b04f35fb0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v2.11.4 +v2.11.5 diff --git a/library/Icinga/Application/Version.php b/library/Icinga/Application/Version.php index 3045e8ce6..416887917 100644 --- a/library/Icinga/Application/Version.php +++ b/library/Icinga/Application/Version.php @@ -8,7 +8,7 @@ namespace Icinga\Application; */ class Version { - const VERSION = '2.11.4'; + const VERSION = '2.11.5'; /** * Get the version of this instance of Icinga Web 2 diff --git a/modules/doc/module.info b/modules/doc/module.info index ac596db92..e28557735 100644 --- a/modules/doc/module.info +++ b/modules/doc/module.info @@ -1,4 +1,4 @@ Module: doc -Version: 2.11.4 +Version: 2.11.5 Description: Documentation module Extracts, shows and exports documentation for Icinga Web 2 and its modules. diff --git a/modules/migrate/module.info b/modules/migrate/module.info index 6eb291159..1536ae44c 100644 --- a/modules/migrate/module.info +++ b/modules/migrate/module.info @@ -1,5 +1,5 @@ Module: migrate -Version: 2.11.4 +Version: 2.11.5 Description: Migrate module This module was introduced with the domain-aware authentication feature in version 2.5.0. It helps you migrating users and user configurations according to a given domain. diff --git a/modules/monitoring/module.info b/modules/monitoring/module.info index 82c520dc9..28b5ec0b6 100644 --- a/modules/monitoring/module.info +++ b/modules/monitoring/module.info @@ -1,5 +1,5 @@ Module: monitoring -Version: 2.11.4 +Version: 2.11.5 Description: Icinga monitoring module IDO accessor and UI for your monitoring. This is the initial instalment for a graphical presentation of Icinga environments. The predecessor of Icinga DB. diff --git a/modules/setup/module.info b/modules/setup/module.info index e3570bd04..b90536462 100644 --- a/modules/setup/module.info +++ b/modules/setup/module.info @@ -1,5 +1,5 @@ Module: setup -Version: 2.11.4 +Version: 2.11.5 Description: Setup module Web based wizard for setting up Icinga Web 2 and its modules. This includes the data backends (e.g. relational database, LDAP), diff --git a/modules/test/module.info b/modules/test/module.info index df5bb6981..d9ff85cda 100644 --- a/modules/test/module.info +++ b/modules/test/module.info @@ -1,5 +1,5 @@ Module: test -Version: 2.11.4 +Version: 2.11.5 Description: Translation module This module allows developers to run (unit) tests against Icinga Web 2 and any of its modules. Usually you do not need to enable this. diff --git a/modules/translation/module.info b/modules/translation/module.info index 57a0dd27f..3e214db84 100644 --- a/modules/translation/module.info +++ b/modules/translation/module.info @@ -1,5 +1,5 @@ Module: translation -Version: 2.11.4 +Version: 2.11.5 Description: Translation module This module allows developers and translators to translate modules for multiple languages. You do not need this module to run an internationalized web frontend.