Releases: Icinga/icinga2
Icinga 2 v2.11.10
Version 2.11.10 fixes two security vulnerabilities that may lead to privilege escalation for authenticated API users. Other improvements include several bugfixes related to downtimes, downtime notifications, and more reliable connection handling.
Security
- Don't expose the PKI ticket salt via the API. This may lead to privilege escalation for authenticated API users by them being able to request certificates for other identities (CVE-2021-32739)
- Don't expose IdoMysqlConnection, IdoPgsqlConnection, and ElasticsearchWriter passwords via the API (CVE-2021-32743)
- Windows: Update bundled OpenSSL to version 1.1.1k #8888
Depending on your setup, manual intervention beyond installing the new versions may be required, so please read the more detailed information in the release blog post carefully.
Bugfixes
- Don't send downtime end notification if downtime hasn't started #8878
- Don't let a failed downtime creation block the others #8871
- Support downtimes and comments for checkables with long names #8870
- Trigger fixed downtimes immediately if the current time matches (instead of waiting for the timer) #8891
- Add configurable timeout for full connection handshake #8872
Enhancements
Icinga 2 v2.12.4
Version 2.12.4 is a maintenance release that fixes some crashes, improves error handling and adds compatibility for systems coming with newer Boost versions.
Bugfixes
- Fix a crash when notification objects are deleted using the API #8782
- Fix crashes that might occur during downtime scheduling if host or downtime objects are deleted using the API #8785
- Fix an issue where notifications may incorrectly be skipped after a downtime ends #8775
- Don't send reminder notification if the notification is still suppressed by a time period #8808
- Fix an issue where attempting to create a duplicate object using the API might result in the original object being deleted #8787
- IDO: prioritize program status updates #8809
- Improve exceptions handling, including a fix for an uncaught exception on Windows #8777
- Retry file rename operations on Windows to avoid intermittent locking issues #8771
Enhancements
- Support Boost 1.74 (Ubuntu 21.04, Fedora 34) #8792
Icinga 2 v2.11.9
Version 2.11.9 is a maintenance release that fixes some crashes, improves error handling and adds compatibility for systems coming with newer Boost versions.
Bugfixes
- Fix a crash when notification objects are deleted using the API #8780
- Fix crashes that might occur during downtime scheduling if host or downtime objects are deleted using the API #8784
- Fix an issue where notifications may incorrectly be skipped after a downtime ends #8772
- Fix an issue where attempting to create a duplicate object using the API might result in the original object being deleted #8788
- IDO: prioritize program status updates #8810
- Improve exceptions handling, including a fix for an uncaught exception on Windows #8776
- Retry file rename operations on Windows to avoid intermittent locking issues #8770
Enhancements
Icinga 2 v2.12.3
Version 2.12.3 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.
This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.
Security
- Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)
When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.
Bugfixes
- Improve config sync locking - resolves high load issues on Windows #8511
- Fix runtime config updates being ignored for objects without zone #8549
- Use proper buffer size for OpenSSL error messages #8542
Enhancements
- On checkable recovery: re-check children that have a problem #8506
Icinga 2 v2.11.8
Version 2.11.8 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.
This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.
Security
- Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)
When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.
Bugfixes
- Improve config sync locking - resolves high load issues on Windows #8510
- Fix runtime config updates being ignored for objects without zone #8550
- Use proper buffer size for OpenSSL error messages #8543
Enhancements
- On checkable recovery: re-check children that have a problem #8560
Icinga 2 v2.12.2
Version 2.12.2 fixes several issues to improve the reliability of the cluster functionality.
Bugfixes
- Fix a connection leak with misconfigured agents #8483
- Properly sync changes of config objects in global zones done via the API #8474 #8470
- Prevent other clients from being disconnected when replaying the cluster log takes very long #8496
- Avoid duplicate connections between endpoints #8465
- Ignore incoming config object updates for unknown zones #8461
- Check timestamps before removing files in config sync #8495
Enhancements
- Include HTTP status codes in log #8467
Icinga 2 v2.11.7
Version 2.11.7 fixes several issues to improve the reliability of the cluster functionality.
Bugfixes
- Fix a connection leak with misconfigured agents #8482
- Properly sync changes of config objects in global zones done via the API #8473 #8457
- Prevent other clients from being disconnected when replaying the cluster log takes very long #8475
- Avoid duplicate connections between endpoints #8399
- Ignore incoming config object updates for unknown zones #8459
- Check timestamps before removing files in config sync #8486
Enhancements
- Include HTTP status codes in log #8454
Icinga 2 v2.12.1
This version fixes several crashes, deadlocks and excessive check latencies. It also addresses several bugs regarding IDO, API, notifications and checks.
Bugfixes
- Core
- IDO
- Misc
Icinga 2.11.6
Version 2.11.6 fixes several crashes, prevents unnecessary notifications and addresses several bugs in IDO and the API.
Bugfixes
- Crashes
- IDO
- API
- Misc
Icinga 2.12.0
Issues and PRs
Blogpost
Upgrading docs
Thanks to all contributors:
Ant1x, azthec, baurmatt, bootc, Foxeronie, ggzengel, islander, joni1993, KAMI911, mcktr, MichalMMac, sebastic, sthen, unki, vigiroux, wopfel
Breaking changes
- Deprecate Windows plugins in favor of our
PowerShell plugins #8071 - Deprecate Livestatus #8051
- Refuse acknowledging an already acknowledged checkable #7695
- Config lexer: complain on EOF in heredocs, i.e.
{{{abc<EOF>
#7541
Enhancements
- Core
- API
- Host/Service: Add
acknowledgement_last_change
andnext_update
attributes #7881 #7534 - Improve error message for POST queries #7681
- /v1/actions/remove-comment: let users specify themselves #7646
- /v1/actions/remove-downtime: let users specify themselves #7645
- /v1/config/stages: Add 'activate' parameter #7535
- Host/Service: Add
- CLI
- DSL
- Add
get_template()
andget_templates()
#7632 MacroProcessor::ResolveArguments()
: skip null argument values #7567- Fix crash due to dependency apply rule with
ignore_on_error
and non-existing parent #7538 - Introduce ternary operator (
x ? y : z
) #7442 - LegacyTimePeriod: support specifying seconds #7439
- Add support for Lambda Closures (
() use(x) => x and () use(x) => { return x }
) #7417
- Add
- ITL
- Docs
- Misc
Bugfixes
- Core
- Cluster
- Fix segfault during heartbeat timeout with clients not yet signed #7970
- Make the config update process mutually exclusive (Prevents file system race conditions) #7936
- Fix
check_timeout
not being forwarded to agent command endpoints #7861 - Config sync: Use a more friendly message when configs are equal and don't need a reload #7811
- Fix open connections when agent waits for CA approval #7686
- Consider a JsonRpcConnection alive on a single byte of TLS payload, not only on a whole message #7836
- Send JsonRpcConnection heartbeat every 20s instead of 10s #8102
- Use JsonRpcConnection heartbeat only to update connection liveness (m_Seen) #8142
- Fix TLS context not being updated on signed certificate messages on agents #7654
- API
- SELinux
- Windows
- Metrics
- Scripts
- Fix notification scripts to stay compatible with Dash #7706
- Fix bash line continuation in mail-host-notification.sh #7701
- Fix notification scripts string comparison #7647
- Service and host mail-notifications: Add line-breaks to very long output #6822
- Set correct UTF-8 email subject header (RFC1342) #6369
- Misc
- DSL: Fix segfault due to passing null as custom function to
Array#{sort,map,reduce,filter,any,all}()
#8053 - CLI:
pki save-cert
: allow to specify --key and --cert for backwards compatibility #7995 - Catch exception when trusted cert is not readable during node setup on agent/satellite #7838
- CheckCommand ssl: Fix wrong parameter
-N
#7741 - Code quality fixes
- Small documentation fixes
- DSL: Fix segfault due to passing null as custom function to