Releases: Icinga/icinga2
Icinga 2 v2.12.6
The focus of this version is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter and InfluxdbWriter.
Security
- Add TLS server certificate validation to ElasticsearchWriter, GelfWriter and InfluxdbWriter (GHSA-cxfm-8j5v-5qr2)
Depending on your setup, manual intervention beyond installing the new versions may be required, so please read the more detailed information in the release blog post carefully
Icinga 2 v2.11.11
The focus of this version is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter and InfluxdbWriter.
Security
- Add TLS server certificate validation to ElasticsearchWriter, GelfWriter and InfluxdbWriter (GHSA-cxfm-8j5v-5qr2)
Depending on your setup, manual intervention beyond installing the new versions may be required, so please read the more detailed information in the release blog post carefully
Icinga 2 v2.13.0
Al2Klimov
Alexander Aleksandrovič Klimov
Issues and PRs
Blogpost
Upgrading docs
Thanks to all contributors: andygrunwald, BausPhi, bebehei, Bobobo-bo-Bo-bobo, efuss, froehl, iustin, JochenFriedrich, leeclemens, log1-c, lyknode, m41kc0d3, MarcusCaepio, mathiasaerts, mcktr, MEschenbacher, Napsty, netson, pdolinic, Ragnra, RincewindsHat, sbraz, sni, sysadt, XnS, yayayayaka
Enhancements
- Core
- Cluster
- Display log message if two nodes run on incompatible versions #8088
- API
- /v1/actions/remove-downtime: Also remove child downtimes #8913
- Add API endpoint: /v1/actions/execute-command #8040
- /v1/actions/add-comment: Add param expiry #8035
- API-Event StateChange & CheckResult: Add acknowledgement and downtime_depth #7736
- Implement new API events ObjectCreated, ObjectDeleted and ObjectModified #8083
- Implement scheduling_endpoint attribute to checkable #6326
- Windows
- Add support for Windows Event Log and write early log messages to it #8710
- IDO
- MySQL: support larger host and service names #8425
- ITL
- Add -S parameter for esxi_hardware ITL #8814
- Add CheckCommands for Thola #8683
- Add option ignore-sct for ssl_cert to ITL #8625
- Improve check_dns command when used with monitoring-plugins 2.3 #8589
- Add parameter -f to snmp-process #8569
- Add systemd CheckCommand #8568
- Add new options for ipmi-sensor #8498
- check_snmp_int: support -a #8003
- check_fail2ban: Add parameter fail2ban_jail to monitor a specific jail only #7960
- check_nrpe: Add parameters needed for PKI usage #7907
- Metrics
- Docs
- Add info about ongoing support for IDO #8446
- Improve instructions on how to setup a Windows dev env #8400
- Improve instructions for installing wixtoolset on Windows #8397
- Add section about usage of satellites #8458
- Document command for verifying the parent node's certificate #8221
- Clarify TimePeriod/ScheduledDowntime time zone handling #8001
- Misc
Bugfixes
- Core
- Fix state not being UNKNOWN after process timeout #8937
- Set a default severity for loggers #8846
- Fix integer overflow when converting large unsigned integers to string #8742
- StartUnixWorker(): don't exit() on fork() failure #8427
- Fix perf data parser not recognizing scientific notation #8492
- Close FDs based on /proc/self/fd #8442
- Fix check source getting overwritten on passive check result #8158
- Clean up temp files #8157
- Improve perf data parser to allow for special output (e.g. ASCII tables) #8008
- On check timeout first send SIGTERM #7918
- Cluster
- API
- Do not override status codes that are not 200 #8532
- Update the SSL context after accepting incoming connections #8515
- Allow to create API User with password #8321
- Send Content-Type as API response header too #8108
- Display a correct status when removing a downtime #8104
- Display log message if a permission error occurs #8087
- Replace broken package name validation regex #8825 #8946
- Windows
- Fix Windows command escape for " #7092
- Notifications/Downtimes
- IDO
- ITL
- Metrics
- OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245
Icinga 2 v2.12.5
julianbrost
Julian Brost
Version 2.12.5 fixes two security vulnerabilities that may lead to privilege escalation for authenticated API users. Other improvements include several bugfixes related to downtimes, downtime notifications, and more reliable connection handling.
Security
- Don't expose the PKI ticket salt via the API. This may lead to privilege escalation for authenticated API users by them being able to request certificates for other identities (CVE-2021-32739)
- Don't expose IdoMysqlConnection, IdoPgsqlConnection, IcingaDB, and ElasticsearchWriter passwords via the API (CVE-2021-32743)
- Windows: Update bundled OpenSSL to version 1.1.1k #8885
Depending on your setup, manual intervention beyond installing the new versions may be required, so please read the more detailed information in the release blog post carefully.
Bugfixes
- Don't send downtime end notification if downtime hasn't started #8877
- Don't let a failed downtime creation block the others #8863
- Support downtimes and comments for checkables with long names #8864
- Trigger fixed downtimes immediately if the current time matches (instead of waiting for the timer) #8889
- Add configurable timeout for full connection handshake #8866
Enhancements
Icinga 2 v2.11.10
julianbrost
Julian Brost
Version 2.11.10 fixes two security vulnerabilities that may lead to privilege escalation for authenticated API users. Other improvements include several bugfixes related to downtimes, downtime notifications, and more reliable connection handling.
Security
- Don't expose the PKI ticket salt via the API. This may lead to privilege escalation for authenticated API users by them being able to request certificates for other identities (CVE-2021-32739)
- Don't expose IdoMysqlConnection, IdoPgsqlConnection, and ElasticsearchWriter passwords via the API (CVE-2021-32743)
- Windows: Update bundled OpenSSL to version 1.1.1k #8888
Depending on your setup, manual intervention beyond installing the new versions may be required, so please read the more detailed information in the release blog post carefully.
Bugfixes
- Don't send downtime end notification if downtime hasn't started #8878
- Don't let a failed downtime creation block the others #8871
- Support downtimes and comments for checkables with long names #8870
- Trigger fixed downtimes immediately if the current time matches (instead of waiting for the timer) #8891
- Add configurable timeout for full connection handshake #8872
Enhancements
Icinga 2 v2.12.4
julianbrost
Julian Brost
Version 2.12.4 is a maintenance release that fixes some crashes, improves error handling and adds compatibility for systems coming with newer Boost versions.
Bugfixes
- Fix a crash when notification objects are deleted using the API #8782
- Fix crashes that might occur during downtime scheduling if host or downtime objects are deleted using the API #8785
- Fix an issue where notifications may incorrectly be skipped after a downtime ends #8775
- Don't send reminder notification if the notification is still suppressed by a time period #8808
- Fix an issue where attempting to create a duplicate object using the API might result in the original object being deleted #8787
- IDO: prioritize program status updates #8809
- Improve exceptions handling, including a fix for an uncaught exception on Windows #8777
- Retry file rename operations on Windows to avoid intermittent locking issues #8771
Enhancements
- Support Boost 1.74 (Ubuntu 21.04, Fedora 34) #8792
Icinga 2 v2.11.9
julianbrost
Julian Brost
Version 2.11.9 is a maintenance release that fixes some crashes, improves error handling and adds compatibility for systems coming with newer Boost versions.
Bugfixes
- Fix a crash when notification objects are deleted using the API #8780
- Fix crashes that might occur during downtime scheduling if host or downtime objects are deleted using the API #8784
- Fix an issue where notifications may incorrectly be skipped after a downtime ends #8772
- Fix an issue where attempting to create a duplicate object using the API might result in the original object being deleted #8788
- IDO: prioritize program status updates #8810
- Improve exceptions handling, including a fix for an uncaught exception on Windows #8776
- Retry file rename operations on Windows to avoid intermittent locking issues #8770
Enhancements
Icinga 2 v2.12.3
Version 2.12.3 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.
This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.
Security
- Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)
When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.
Bugfixes
- Improve config sync locking - resolves high load issues on Windows #8511
- Fix runtime config updates being ignored for objects without zone #8549
- Use proper buffer size for OpenSSL error messages #8542
Enhancements
- On checkable recovery: re-check children that have a problem #8506
Icinga 2 v2.11.8
Version 2.11.8 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.
This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.
Security
- Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)
When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.
Bugfixes
- Improve config sync locking - resolves high load issues on Windows #8510
- Fix runtime config updates being ignored for objects without zone #8550
- Use proper buffer size for OpenSSL error messages #8543
Enhancements
- On checkable recovery: re-check children that have a problem #8560
Icinga 2 v2.12.2
julianbrost
Julian Brost
Version 2.12.2 fixes several issues to improve the reliability of the cluster functionality.
Bugfixes
- Fix a connection leak with misconfigured agents #8483
- Properly sync changes of config objects in global zones done via the API #8474 #8470
- Prevent other clients from being disconnected when replaying the cluster log takes very long #8496
- Avoid duplicate connections between endpoints #8465
- Ignore incoming config object updates for unknown zones #8461
- Check timestamps before removing files in config sync #8495
Enhancements
- Include HTTP status codes in log #8467