Icinga 2 v2.11.10

Issues and PRs
Blogpost

Version 2.11.10 fixes two security vulnerabilities that may lead to privilege escalation for authenticated API users. Other improvements include several bugfixes related to downtimes, downtime notifications, and more reliable connection handling.

Security

• Don't expose the PKI ticket salt via the API. This may lead to privilege escalation for authenticated API users by them being able to request certificates for other identities (CVE-2021-32739)
• Don't expose IdoMysqlConnection, IdoPgsqlConnection, and ElasticsearchWriter passwords via the API (CVE-2021-32743)
• Windows: Update bundled OpenSSL to version 1.1.1k #8888

Depending on your setup, manual intervention beyond installing the new versions may be required, so please read the more detailed information in the release blog post carefully.

Bugfixes

• Don't send downtime end notification if downtime hasn't started #8878
• Don't let a failed downtime creation block the others #8871
• Support downtimes and comments for checkables with long names #8870
• Trigger fixed downtimes immediately if the current time matches (instead of waiting for the timer) #8891
• Add configurable timeout for full connection handshake #8872

Enhancements

• Replace existing downtimes on ScheduledDowntime change #8880
• Improve crashlog #8869

Icinga 2 v2.12.4

Issues and PRs
Blogpost

Version 2.12.4 is a maintenance release that fixes some crashes, improves error handling and adds compatibility for systems coming with newer Boost versions.

Bugfixes

• Fix a crash when notification objects are deleted using the API #8782
• Fix crashes that might occur during downtime scheduling if host or downtime objects are deleted using the API #8785
• Fix an issue where notifications may incorrectly be skipped after a downtime ends #8775
• Don't send reminder notification if the notification is still suppressed by a time period #8808
• Fix an issue where attempting to create a duplicate object using the API might result in the original object being deleted #8787
• IDO: prioritize program status updates #8809
• Improve exceptions handling, including a fix for an uncaught exception on Windows #8777
• Retry file rename operations on Windows to avoid intermittent locking issues #8771

Enhancements

• Support Boost 1.74 (Ubuntu 21.04, Fedora 34) #8792

Icinga 2 v2.11.9

Issues and PRs
Blogpost

Version 2.11.9 is a maintenance release that fixes some crashes, improves error handling and adds compatibility for systems coming with newer Boost versions.

Bugfixes

• Fix a crash when notification objects are deleted using the API #8780
• Fix crashes that might occur during downtime scheduling if host or downtime objects are deleted using the API #8784
• Fix an issue where notifications may incorrectly be skipped after a downtime ends #8772
• Fix an issue where attempting to create a duplicate object using the API might result in the original object being deleted #8788
• IDO: prioritize program status updates #8810
• Improve exceptions handling, including a fix for an uncaught exception on Windows #8776
• Retry file rename operations on Windows to avoid intermittent locking issues #8770

Enhancements

• Support Boost 1.74 (Ubuntu 21.04, Fedora 34) #8793 #8802

Icinga 2 v2.12.3

Issues and PRs
Blogpost

Version 2.12.3 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.

This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.

Security

• Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)

When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).

Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.

Bugfixes

• Improve config sync locking - resolves high load issues on Windows #8511
• Fix runtime config updates being ignored for objects without zone #8549
• Use proper buffer size for OpenSSL error messages #8542

Enhancements

• On checkable recovery: re-check children that have a problem #8506

Icinga 2 v2.11.8

Issues and PRs
Blogpost

Version 2.11.8 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.

This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.

Security

• Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)

When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).

Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.

Bugfixes

• Improve config sync locking - resolves high load issues on Windows #8510
• Fix runtime config updates being ignored for objects without zone #8550
• Use proper buffer size for OpenSSL error messages #8543

Enhancements

• On checkable recovery: re-check children that have a problem #8560

Icinga 2 v2.12.2

Issues and PRs
Blogpost

Version 2.12.2 fixes several issues to improve the reliability of the cluster functionality.

Bugfixes

• Fix a connection leak with misconfigured agents #8483
• Properly sync changes of config objects in global zones done via the API #8474 #8470
• Prevent other clients from being disconnected when replaying the cluster log takes very long #8496
• Avoid duplicate connections between endpoints #8465
• Ignore incoming config object updates for unknown zones #8461
• Check timestamps before removing files in config sync #8495

Enhancements

• Include HTTP status codes in log #8467

Icinga 2 v2.11.7

Issues and PRs
Blogpost

Version 2.11.7 fixes several issues to improve the reliability of the cluster functionality.

Bugfixes

• Fix a connection leak with misconfigured agents #8482
• Properly sync changes of config objects in global zones done via the API #8473 #8457
• Prevent other clients from being disconnected when replaying the cluster log takes very long #8475
• Avoid duplicate connections between endpoints #8399
• Ignore incoming config object updates for unknown zones #8459
• Check timestamps before removing files in config sync #8486

Enhancements

• Include HTTP status codes in log #8454

Icinga 2 v2.12.1

Issues and PRs
Blogpost

This version fixes several crashes, deadlocks and excessive check latencies. It also addresses several bugs regarding IDO, API, notifications and checks.

Bugfixes

• Core
  • Fix crashes during config update #8348 #8345
  • Fix crash while removing a downtime #8228
  • Ensure the daemon doesn't get killed by logrotate #8170
  • Fix hangup during shutdown #8211
  • Fix a deadlock in Icinga DB #8168
  • Clean up zombie processes during reload #8376
  • Reduce check latency #8276
• IDO
  • Prevent unnecessary IDO updates #8327 #8320
  • Commit IDO MySQL transactions earlier #8349
  • Make sure to insert IDO program status #8330
  • Improve IDO queue stats logging #8271 #8328 #8379
• Misc
  • Ensure API connections are closed properly #8293
  • Prevent unnecessary notifications #8299
  • Don't skip null values of command arguments #8174
  • Fix Windows .exe version #8234
  • Reset Icinga check warning after successful config update #8189

Icinga 2.11.6

Issues and PRs
Blogpost

Version 2.11.6 fixes several crashes, prevents unnecessary notifications and addresses several bugs in IDO and the API.

Bugfixes

• Crashes
  • Fix crashes during config update #8337 #8308
  • Fix crash while removing a downtime #8226
  • Ensure the daemon doesn't get killed by logrotate #8227
• IDO
  • Prevent unnecessary IDO updates #8316 #8305
  • Commit IDO MySQL transactions earlier #8298
  • Make sure to insert IDO program status #8291
  • Improve IDO queue stats logging #8270 #8325 #8378
• API
  • Ensure API connections are closed properly #8292
  • Fix open connections when agent waits for CA approval #8230
  • Close connections without successful TLS handshakes within 10s #8224
• Misc
  • Prevent unnecessary notifications #8300
  • Fix Windows .exe version #8235
  • Reset Icinga check warning after successful config update #8225

Icinga 2.12.0

Issues and PRs
Blogpost
Upgrading docs

Thanks to all contributors:
Ant1x, azthec, baurmatt, bootc, Foxeronie, ggzengel, islander, joni1993, KAMI911, mcktr, MichalMMac, sebastic, sthen, unki, vigiroux, wopfel

Breaking changes

• Deprecate Windows plugins in favor of our
  PowerShell plugins #8071
• Deprecate Livestatus #8051
• Refuse acknowledging an already acknowledged checkable #7695
• Config lexer: complain on EOF in heredocs, i.e. {{{abc<EOF> #7541

Enhancements

• Core
  • Implement new database backend: Icinga DB #7571
  • Re-send notifications previously suppressed by their time periods #7816
• API
  • Host/Service: Add acknowledgement_last_change and next_update attributes #7881 #7534
  • Improve error message for POST queries #7681
  • /v1/actions/remove-comment: let users specify themselves #7646
  • /v1/actions/remove-downtime: let users specify themselves #7645
  • /v1/config/stages: Add 'activate' parameter #7535
• CLI
  • Add pki verify command for better TLS certificate troubleshooting #7843
  • Add OpenSSL version to 'Build' section in --version #7833
  • Improve experience with 'Node Setup for Agents/Satellite' #7835
• DSL
  • Add get_template() and get_templates() #7632
  • MacroProcessor::ResolveArguments(): skip null argument values #7567
  • Fix crash due to dependency apply rule with ignore_on_error and non-existing parent #7538
  • Introduce ternary operator (x ? y : z) #7442
  • LegacyTimePeriod: support specifying seconds #7439
  • Add support for Lambda Closures (() use(x) => x and () use(x) => { return x }) #7417
• ITL
  • Add notemp parameter to oracle health #7748
  • Add extended checks options to snmp-interface command template #7602
  • Add file age check for Windows command definition #7540
• Docs
  • Development: Update debugging instructions #7867
  • Add new API clients #7859
  • Clarify CRITICAL vs. UNKNOWN #7665
  • Explicitly explain how to disable freshness checks #7664
  • Update installation for RHEL/CentOS 8 and SLES 15 #7640
  • Add Powershell example to validate the certificate #7603
• Misc
  • Don't send event::Heartbeat to unauthenticated peers #7747
  • OpenTsdbWriter: Add custom tag support #7357

Bugfixes

• Core
  • Fix JSON-RPC crashes #7532 #7737
  • Fix zone definitions in zones #7546
  • Fix deadlock during start on OpenBSD #7739
  • Consider PENDING not a problem #7685
  • Fix zombie processes after reload #7606
  • Don't wait for checks to finish during reload #7894
• Cluster
  • Fix segfault during heartbeat timeout with clients not yet signed #7970
  • Make the config update process mutually exclusive (Prevents file system race conditions) #7936
  • Fix check_timeout not being forwarded to agent command endpoints #7861
  • Config sync: Use a more friendly message when configs are equal and don't need a reload #7811
  • Fix open connections when agent waits for CA approval #7686
  • Consider a JsonRpcConnection alive on a single byte of TLS payload, not only on a whole message #7836
  • Send JsonRpcConnection heartbeat every 20s instead of 10s #8102
  • Use JsonRpcConnection heartbeat only to update connection liveness (m_Seen) #8142
  • Fix TLS context not being updated on signed certificate messages on agents #7654
• API
  • Close connections w/o successful TLS handshakes after 10s #7809
  • Handle permission exceptions soon enough, returning 404 #7528
• SELinux
  • Fix safe-reload #7858
  • Allow direct SMTP notifications #7749
• Windows
  • Terminate check processes with UNKNOWN state on timeout #7788
  • Ensure that log replay files are properly renamed #7767
• Metrics
  • Graphite/OpenTSDB: Ensure that reconnect failure is detected #7765
  • Always send 0 as value for thresholds #7696
• Scripts
  • Fix notification scripts to stay compatible with Dash #7706
  • Fix bash line continuation in mail-host-notification.sh #7701
  • Fix notification scripts string comparison #7647
  • Service and host mail-notifications: Add line-breaks to very long output #6822
  • Set correct UTF-8 email subject header (RFC1342) #6369
• Misc
  • DSL: Fix segfault due to passing null as custom function to Array#{sort,map,reduce,filter,any,all}() #8053
  • CLI: pki save-cert: allow to specify --key and --cert for backwards compatibility #7995
  • Catch exception when trusted cert is not readable during node setup on agent/satellite #7838
  • CheckCommand ssl: Fix wrong parameter -N #7741
  • Code quality fixes
  • Small documentation fixes