Skip to content

Icinga 2 v2.12.3
Compare
Choose a tag to compare
@N-o-X N-o-X released this 15 Dec 13:26
· 1898 commits to master since this release
v2.12.3
This tag was signed with the committer’s verified signature.
N-o-X Noah Hilverling
GPG key ID: F3958E366687EA63
Learn about vigilant mode.
2cb995e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Issues and PRs
Blogpost

Version 2.12.3 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.

This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.

Security

  • Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)

When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).

Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.

Bugfixes

  • Improve config sync locking - resolves high load issues on Windows #8511
  • Fix runtime config updates being ignored for objects without zone #8549
  • Use proper buffer size for OpenSSL error messages #8542

Enhancements

  • On checkable recovery: re-check children that have a problem #8506
Assets 2
Loading