From 30fcc9485503771ca879dae93bff2dd718c205e1 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Thu, 9 Oct 2025 14:26:53 +0200 Subject: [PATCH 01/21] Changelog and version bump for v2.15.1 (cherry picked from commit ae6629db6e5538fbde821cda929a43b536745f87) --- CHANGELOG.md | 23 +++++++++++++++++++++++ ICINGA2_VERSION | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ea49615d83..0badfc25ed5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,29 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). +## 2.15.1 (2025-10-16) + +This version includes bug fixes regarding config deployments and improvements +to allow for better debugging of problems related to JSON-RPC cluster +communication. + +Note that one fix affects the logrotate configuration. If it was modified +locally, it might not be updated automatically by the package manager and +applying the changes manually is necessary. For details, please check the +[upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-15-1). + +* Don't send signals as root in safe-reload script and logrotate config. #10590 +* When a reload triggered from Icinga Director (or the /v1/config API) fails, + the corresponding state is cleared, allowing to deploy a new config without + having to restart Icinga 2 manually first. #10584 +* Add JSON-RPC utilization metrics and troubleshooting docs. #10586 +* When sending cluster messages to other zones, prefer endpoints in the order + as specified in the zone configuration. #10587 +* Track the number of JSON-RPC messages received for each message type per + endpoint. #10585 +* Add support for building with Boost v1.89 and use it on Windows. #10578 +* Windows: Update to OpenSSL 3.0.18. #10591 + ## 2.15.0 (2025-06-18) This Icinga 2 release is focused on adding Icinga 2 dependencies support to Icinga DB, but also includes a number diff --git a/ICINGA2_VERSION b/ICINGA2_VERSION index 66639bc0c36..e18a5e46ea9 100644 --- a/ICINGA2_VERSION +++ b/ICINGA2_VERSION @@ -1,2 +1,2 @@ -Version: 2.15.0 +Version: 2.15.1 Revision: 1 From fd0d55d1152d3972400f400a1201d88594721b1b Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Mon, 13 Oct 2025 16:53:07 +0200 Subject: [PATCH 02/21] Add security fixes to v2.15.1 changelog (cherry picked from commit 19e9b0042a11a7195ee4b6d2332b2319699d6b60) --- CHANGELOG.md | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0badfc25ed5..2e27ba884f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,26 +9,49 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic ## 2.15.1 (2025-10-16) -This version includes bug fixes regarding config deployments and improvements -to allow for better debugging of problems related to JSON-RPC cluster -communication. +This release fixes multiple security issues. Two of them allow authenticated +API users to learn restricted information or crash Icinga 2. A third issue +affects the scripts provided with Icinga 2 and allows a limited privilege +escalation where the Icinga 2 daemon user can trick root into sending signals to +arbitrary processes. + +In addition, this version also includes bug fixes regarding config deployments +and improvements to allow for better debugging of problems related to JSON-RPC +cluster communication. Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the [upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-15-1). -* Don't send signals as root in safe-reload script and logrotate config. #10590 +### Security + +* CVE-2025-61907: Prevent API users from accessing variables and objects they + don't have access to within filter expressions. This allowed authenticated + API users to learn information they aren't allowed to access directly. +* CVE-2025-61908: Add a missing null pointer check while evaluating + expressions. This allowed authenticated API users to crash the Icinga 2 + daemon by supplying a crafted filter expression. +* CVE-2025-61909: Don't send signals as root in safe-reload script and + logrotate config. This allowed a limited privilege escalation from the Icinga + 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to + an arbitrary process. #10590 +* Windows: Update to OpenSSL 3.0.18. #10591 + +### Bugfixes + * When a reload triggered from Icinga Director (or the /v1/config API) fails, the corresponding state is cleared, allowing to deploy a new config without having to restart Icinga 2 manually first. #10584 + +### Enhancements + * Add JSON-RPC utilization metrics and troubleshooting docs. #10586 * When sending cluster messages to other zones, prefer endpoints in the order as specified in the zone configuration. #10587 * Track the number of JSON-RPC messages received for each message type per endpoint. #10585 * Add support for building with Boost v1.89 and use it on Windows. #10578 -* Windows: Update to OpenSSL 3.0.18. #10591 ## 2.15.0 (2025-06-18) From 47dadd8742c333b08a117b180595d65cf358489e Mon Sep 17 00:00:00 2001 From: Yonas Habteab Date: Mon, 26 Jan 2026 12:13:39 +0100 Subject: [PATCH 03/21] Release `v2.15.2` (cherry picked from commit 85d07e4330d71ccbb47d8e1079447374614a4863) --- CHANGELOG.md | 9 +++++++++ ICINGA2_VERSION | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e27ba884f7..00187f950fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,15 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). +## 2.15.2 (2026-01-29) + +Additionally, it includes two minor bug fixes regarding SELinux policies and the OpenSSL version shipped on Windows. + +* Windows: Update to OpenSSL 3.0.19. #10706 +* SELinux: Fix policy to allow `logrotate` to execute the `icinga2` binary in order to send `SIGUSR1` for log rotation. #10643 +* SELinux: Fix policy to allow `icinga2` to send `SIGTERM` to nagios plugins processes on timeout. #10694 +* doc: Update Windows development docs to use Visual Studio 2022 instead of 2019. #10695 + ## 2.15.1 (2025-10-16) This release fixes multiple security issues. Two of them allow authenticated diff --git a/ICINGA2_VERSION b/ICINGA2_VERSION index e18a5e46ea9..66639bc0c36 100644 --- a/ICINGA2_VERSION +++ b/ICINGA2_VERSION @@ -1,2 +1,2 @@ -Version: 2.15.1 +Version: 2.15.0 Revision: 1 From e880886daf9ef586457a65b1c953af35188f0371 Mon Sep 17 00:00:00 2001 From: Yonas Habteab Date: Thu, 29 Jan 2026 11:50:33 +0100 Subject: [PATCH 04/21] Add security update to changelog for `v2.15.2` (cherry picked from commit ef406f48cea4a1bf206f1ad4bdae8f06bc74629d) --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00187f950fd..15f1c849834 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,12 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic ## 2.15.2 (2026-01-29) -Additionally, it includes two minor bug fixes regarding SELinux policies and the OpenSSL version shipped on Windows. +This security release fixes a problem in the Icinga 2 Windows MSI that did not +set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it includes +two minor bug fixes regarding our SELinux policy and updates the OpenSSL version +shipped on Windows. +* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows. * Windows: Update to OpenSSL 3.0.19. #10706 * SELinux: Fix policy to allow `logrotate` to execute the `icinga2` binary in order to send `SIGUSR1` for log rotation. #10643 * SELinux: Fix policy to allow `icinga2` to send `SIGTERM` to nagios plugins processes on timeout. #10694 From f1e7fbe9ebc3424cde953e0b35f9b1f264ceb079 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Thu, 9 Oct 2025 17:37:09 +0200 Subject: [PATCH 05/21] Changelog and version bump for v2.14.7 (cherry picked from commit e5af30335bf5926889aa54e8bd8882e7e54e1053) --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 15f1c849834..75869d971d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -219,6 +219,20 @@ Thanks to all contributors: * Reduce task function allocation overhead by using a per-thread created lambda in `WorkQueue`. #9575 * Remove redundant trailing empty lines and add missing newlines in some files. #7799 +## 2.14.7 (2025-10-16) + +This version includes a fix for sending signals and updates dependencies used +in Windows builds. + +Note that one fix affects the logrotate configuration. If it was modified +locally, it might not be updated automatically by the package manager and +applying the changes manually is necessary. For details, please check the +[upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-15-1). + +* Don't send signals as root in safe-reload script and logrotate config. #10597 +* Windows: Update to OpenSSL 3.0.18. #10595 +* Windows: upgrade build toolchain to Visual Studio 2022. #10594 + ## 2.14.6 (2025-05-27) This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which From 5ad5aaafeba7920a6976844af8624796a874207b Mon Sep 17 00:00:00 2001 From: Johannes Schmidt Date: Mon, 26 Jan 2026 12:50:20 +0100 Subject: [PATCH 06/21] Release v2.14.8 (cherry picked from commit fd1a5f06b98402ac17412e9b602225c5f41c10d6) --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75869d971d1..e4f0bb1f778 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -219,6 +219,15 @@ Thanks to all contributors: * Reduce task function allocation overhead by using a per-thread created lambda in `WorkQueue`. #9575 * Remove redundant trailing empty lines and add missing newlines in some files. #7799 +## 2.14.8 (2026-01-29) + +This release updates the bundled OpenSSL library and includes changes to allow +building with newer toolchains. + +* Windows: Update to OpenSSL 3.0.19. #10705 +* Bump Boost shipped for Windows to v1.87. #10651 +* Allow building with CMake 4. #10624 + ## 2.14.7 (2025-10-16) This version includes a fix for sending signals and updates dependencies used From 816c687f97fc19f3541765fa5e97f9f3755fd337 Mon Sep 17 00:00:00 2001 From: Johannes Schmidt Date: Thu, 29 Jan 2026 11:44:39 +0100 Subject: [PATCH 07/21] Add security update to v2.14.8 changelog (cherry picked from commit 77ad67a0eae9cd8dd95d6e80da9d22ea848bc5d8) --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4f0bb1f778..d4efb8dbf7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -221,9 +221,12 @@ Thanks to all contributors: ## 2.14.8 (2026-01-29) -This release updates the bundled OpenSSL library and includes changes to allow -building with newer toolchains. +This security release fixes a problem in the Icinga 2 Windows MSI that did not +set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it +updates the bundled OpenSSL library and includes changes to allow building with +newer toolchains. +* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows. * Windows: Update to OpenSSL 3.0.19. #10705 * Bump Boost shipped for Windows to v1.87. #10651 * Allow building with CMake 4. #10624 From 6d9045cae8e65bcfffe19c9f14140e3bdf7d38d0 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Thu, 9 Oct 2025 18:21:36 +0200 Subject: [PATCH 08/21] Changelog and version bump for v2.13.13 (cherry picked from commit 3fd7df225ab6026b4521f1107dc715674636a517) --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4efb8dbf7c..5db77e79944 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -579,6 +579,20 @@ Add `linux_netdev` check command. #9045 * Several code quality improvements. #8815 #9106 #9250 #9508 #9517 #9537 #9594 #9605 #9606 #9641 #9658 #9702 #9717 #9738 +## 2.13.13 (2025-10-16) + +This version includes a fix for sending signals and updates dependencies used +in Windows builds. + +Note that one fix affects the logrotate configuration. If it was modified +locally, it might not be updated automatically by the package manager and +applying the changes manually is necessary. For details, please check the +[upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-15-1). + +* Don't send signals as root in safe-reload script and logrotate config. #10601 +* Windows: Update to OpenSSL 3.0.18. #10602 +* Windows: upgrade build toolchain to Visual Studio 2022. #10598 + ## 2.13.12 (2025-05-27) This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which From 8ea31dcb0e37d388e9abea1a2f8d0547355daa25 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Mon, 13 Oct 2025 16:53:07 +0200 Subject: [PATCH 09/21] Add security fixes to v2.13.13 changelog (cherry picked from commit d1d9403eac58cd2e582e6a4e95a0661f3f81d814) --- CHANGELOG.md | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5db77e79944..8833c1a75ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -581,15 +581,29 @@ Add `linux_netdev` check command. #9045 ## 2.13.13 (2025-10-16) -This version includes a fix for sending signals and updates dependencies used -in Windows builds. +This release fixes multiple security issues. Two of them allow authenticated +API users to learn restricted information or crash Icinga 2. A third issue +affects the scripts provided with Icinga 2 and allows a limited privilege +escalation where the Icinga 2 daemon user can trick root into sending signals to +arbitrary processes. Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the [upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-15-1). -* Don't send signals as root in safe-reload script and logrotate config. #10601 +* CVE-2025-61907: Prevent API users from accessing variables and objects they + don't have access to within filter expressions. This allowed authenticated + API users to learn information they aren't allowed to access directly. In this + version this also applies to the TicketSalt variable which was previously + accessible through the /v1/variables API in this version. +* CVE-2025-61908: Add a missing null pointer check while evaluating + expressions. This allowed authenticated API users to crash the Icinga 2 + daemon by supplying a crafted filter expression. +* CVE-2025-61909: Don't send signals as root in safe-reload script and + logrotate config. This allowed a limited privilege escalation from the Icinga + 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to + an arbitrary process. #10601 * Windows: Update to OpenSSL 3.0.18. #10602 * Windows: upgrade build toolchain to Visual Studio 2022. #10598 From 48c6a39c211b53202ed67dc00303b77805cda355 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 27 Jan 2026 10:38:15 +0100 Subject: [PATCH 10/21] Changelog and version bump for v2.13.14 (cherry picked from commit 907aebf5dc3f7f110bec9d3d98dae78fb81d71b2) --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8833c1a75ae..0609dbefbc5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -579,6 +579,14 @@ Add `linux_netdev` check command. #9045 * Several code quality improvements. #8815 #9106 #9250 #9508 #9517 #9537 #9594 #9605 #9606 #9641 #9658 #9702 #9717 #9738 +## 2.13.14 (2026-01-29) + +This release updates the bundled OpenSSL library and includes changes to allow +building with newer toolchains. + +* Windows: Update to OpenSSL 3.0.19. #10704 +* Allow building with CMake 4. #10625 + ## 2.13.13 (2025-10-16) This release fixes multiple security issues. Two of them allow authenticated From b733eb8de3439d34d4c42194938cfaf4c8874fc2 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 27 Jan 2026 15:08:53 +0100 Subject: [PATCH 11/21] Add security update to v2.13.14 changelog (cherry picked from commit 376da7f202978af947a4c26feb69837bcccf418a) --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0609dbefbc5..6379ca44da9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -581,9 +581,12 @@ Add `linux_netdev` check command. #9045 ## 2.13.14 (2026-01-29) -This release updates the bundled OpenSSL library and includes changes to allow -building with newer toolchains. +This security release fixes a problem in the Icinga 2 Windows MSI that did not +set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it +updates the bundled OpenSSL library and includes changes to allow building with +newer toolchains. +* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows. * Windows: Update to OpenSSL 3.0.19. #10704 * Allow building with CMake 4. #10625 From 7d0710d1c7656b2f20a738d7bcc74afd45833b54 Mon Sep 17 00:00:00 2001 From: Noah Hilverling Date: Wed, 18 Aug 2021 17:26:46 +0200 Subject: [PATCH 12/21] Add 2.12.6 changelog and bump VERSION (cherry picked from commit 88ed37454b7d8290d0f309784a166ab0d3c23326) --- CHANGELOG.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6379ca44da9..113021e2c84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1052,6 +1052,19 @@ Thanks to all contributors: * Metrics * OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245 +# 2.12.6 (2021-08-19) + +The main focus of these versions is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter and InfluxdbWriter. + +### Security + +* Add TLS server certificate validation to ElasticsearchWriter, GelfWriter and InfluxdbWriter + +Depending on your setup, manual intervention beyond installing the new versions +may be required, so please read the more detailed information in the +[release blog post](https://icinga.com/blog/2021/08/19/icinga-2-13-1-security-release//) +carefully + ## 2.12.5 (2021-07-15) Version 2.12.5 fixes two security vulnerabilities that may lead to privilege From c81216d9be8682aa4631ab96b2b37ed152f280ea Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Fri, 1 Apr 2022 14:54:07 +0200 Subject: [PATCH 13/21] Release 2.12.7 (cherry picked from commit 4137746bbe2b04d7aabb9a0d3633d88a835a7225) --- CHANGELOG.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 113021e2c84..c2a51337de2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1052,7 +1052,76 @@ Thanks to all contributors: * Metrics * OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245 -# 2.12.6 (2021-08-19) +## 2.12.7 (2022-04-14) + +This version includes bugfixes for many features of Icinga 2, including fixes for multiple crashes. + +### API + +* The /v1/config/stages endpoint now immediately rejects parallel config updates + instead of accepting and then later failing to verify and activate them. #9326 + +### Certificates + +* The lifetime of newly issued node certificates is reduced from 15 years to 397 days. #9338 +* Compare cluster certificate tickets in constant time. #9334 + +### Notifications + +* Fix a crash that could happen while sending notifications shortly after Icinga 2 started. #9125 + +### Checks and Commands + +* Fix a deadlock when processing check results for checkables with dependencies. #9229 +* Fix a message routing loop that can happen for event commands that are executed within a zone + using `command_endpoint` that resulted in excessive execution of the command. #9261 + +### Downtimes + +* Fix scheduling of downtimes for all services on child hosts. #9184 +* Creating fixed downtimes starting immediately now send a corresponding notification. #9185 +* Fix some issues involving daylight saving time changes that could result in an hour missing + from scheduled downtimes. This fix applies to time periods as well. #9246 +* Fix a bug where downtimes on the day after a daylight saving time change could be off by an hour. #9253 + +### Configuration + +* Fix the evaluation order of default templates when used in combination with apply rules. + Now default templates are imported first as stated in the documentation and + as it already happens for objects defined without using apply. #9294 + +### IDO + +* Fix an issue where contacts were not written correctly to the notification history + if multiple IDO instances are active on the same node. #9243 +* Explicitly set the encoding for MySQL connections as a workaround for changed defaults + in Debian bullseye. #9313 +* Ship a MySQL schema upgrade that fixes inconsistent version information in the + full schema file and upgrade files which could have resulted in inaccurate reports + of an outdated schema version. #9140 + +### Performance Data Writers + +* Fix a race condition in the InfluxDB Writers that could result in a crash. #9247 +* All writers no longer send metrics multiple times after HA failovers. #9329 + +### Build + +* Fix the order of linker flags to fix builds on some ARM platforms. #9167 +* Fix an issue when building within an unrelated Git repository, + version information from that repository could incorrectly be used for Icinga 2. #9156 +* Windows: Update bundled Boost version to 1.78.0 and OpenSSL to 1.1.1n #9320 #9327 + +### Internals + +* Fix some race conditions due to missing synchronization. + These race conditions should not have caused any practical problems + besides incorrect numbers in debug log message. #9305 +* Move the startup.log and status files created when validating incoming cluster config updates + to /var/lib/icinga2/api and always keep the last failed startup.log to ease debugging. #9336 +* Remove outdated and incorrect of the severity attributes #9244 + +## 2.12.6 (2021-08-19) The main focus of these versions is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter and InfluxdbWriter. From c5ee17b53e041e039f7ecd6fdd558ac62f988587 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Mon, 25 Apr 2022 16:20:16 +0200 Subject: [PATCH 14/21] Release 2.12.8 (cherry picked from commit 9c3188b6c060d2c9322e283a5ea17b3933492286) --- CHANGELOG.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2a51337de2..be2df5a91bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1052,6 +1052,19 @@ Thanks to all contributors: * Metrics * OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245 +## 2.12.8 (2022-04-28) + +In the previous version 2.12.7, one bugfix was applied incorrectly. This is fixed by this release. + +### Downtimes + +* Scheduling downtimes for all children and all services no longer fails due to an object name conflict. + Only version 2.11.7 was affected by this issue. #9349 + +### Windows + +* Update the bundled version of Boost to 1.79.0. #9359 + ## 2.12.7 (2022-04-14) This version includes bugfixes for many features of Icinga 2, including fixes for multiple crashes. From 3c5dd9b9fc49a25f0cd48285d27ebe4587611b70 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Wed, 15 Jun 2022 12:18:17 +0200 Subject: [PATCH 15/21] Release 2.12.9 (cherry picked from commit 2b56b27e23389f4c7b95e3d28605c32a94f0bb7e) --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index be2df5a91bf..fa497363a0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1052,6 +1052,17 @@ Thanks to all contributors: * Metrics * OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245 +## 2.12.9 (2022-06-30) + +This release includes some fixes and a performance improvement +resulting in faster config validation and reload times. + +### Bugfixes + +* Fix a race-condition involving object attribute updates that could result in a crash. #9394 +* Speed up config validation by avoiding redundant serialization of objects. #9401 +* Windows: Update bundled version OpenSSL. #9414 + ## 2.12.8 (2022-04-28) In the previous version 2.12.7, one bugfix was applied incorrectly. This is fixed by this release. From f8b87a15387ddab43aba3da83809612f81083fa7 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Thu, 16 Feb 2023 13:14:27 +0100 Subject: [PATCH 16/21] Icinga 2.12.10 * Update CHANGELOG.md (WIP) * Bump ICINGA2_VERSION (cherry picked from commit 07ca2d5108d5f1707cb4f10c25207bffca6b8910) --- CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa497363a0d..21970ba4698 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1052,6 +1052,23 @@ Thanks to all contributors: * Metrics * OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245 +## 2.12.10 (2023-02-16) + +This security release updates Boost and OpenSSL libraries bundled on Windows +and repairs broken SELinux policies. + +### Security + +* Windows: update bundled OpenSSL to v1.1.1t. #9686 + +### Bugfixes + +* SELinux: repair broken policies. #9689 + +### Enhancements + +* Windows: update bundled Boost to v1.81. #9686 + ## 2.12.9 (2022-06-30) This release includes some fixes and a performance improvement From c3701b13a9b5467c1d5fea142066633a87e468c6 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Mon, 28 Oct 2024 16:16:44 +0100 Subject: [PATCH 17/21] Icinga 2.12.11 (cherry picked from commit e2dc726076f54fac7d8ca862e078ce16fb08a4b6) --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21970ba4698..48e8074f43d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1052,6 +1052,15 @@ Thanks to all contributors: * Metrics * OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245 +## 2.12.11 (2024-11-12) + +This security release fixes a TLS certificate validation bypass. +Given the severity of that issue, users are advised to upgrade all nodes immediately. + +* Security: fix TLS certificate validation bypass. CVE-2024-49369 +* Security: update OpenSSL shipped on Windows to v3.0.15. +* Windows: sign MSI packages with a certificate the OS trusts by default. + ## 2.12.10 (2023-02-16) This security release updates Boost and OpenSSL libraries bundled on Windows From f337c2b2bd0c6d668d63f3c679dc317142c83258 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 20 May 2025 16:45:41 +0200 Subject: [PATCH 18/21] Icinga 2.12.12 (cherry picked from commit a0ec7f6b2fc7d4caa050f7e353e4f53f1bc140b7) --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48e8074f43d..9b8636d5e5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1052,6 +1052,21 @@ Thanks to all contributors: * Metrics * OpenTSDB-Writer: Remove incorrect space causing missing tag error #8245 +## 2.12.12 (2025-05-27) + +This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which +might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA +private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this +typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2. + +* CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0. +* Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same + function which is fixed as well, but in case it is triggered, typically only a wrong error code + may be shown in a log message. +* Windows: Update OpenSSL shipped on Windows to v3.0.16. #10455 +* Windows: Fix unknown ctest(1) `--log_level` argument. #10453 +* Don't require to build .msi as admin. #10454 + ## 2.12.11 (2024-11-12) This security release fixes a TLS certificate validation bypass. From d68ddac403498ca5b730e3aba033f984258d9ffa Mon Sep 17 00:00:00 2001 From: Yonas Habteab Date: Thu, 2 Apr 2026 16:50:16 +0200 Subject: [PATCH 19/21] Add a check-list in release workflow to forward-port changelogs --- .github/ISSUE_TEMPLATE/release.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/ISSUE_TEMPLATE/release.md b/.github/ISSUE_TEMPLATE/release.md index 2d67d00bd1c..1ee56d3047f 100644 --- a/.github/ISSUE_TEMPLATE/release.md +++ b/.github/ISSUE_TEMPLATE/release.md @@ -21,6 +21,7 @@ assignees: '' - [ ] Create release on GitHub - [ ] Update public docs - [ ] Announce release +- [ ] Forward-port the `CHANGELOG` changes to `master` ## Update Bundled Windows Dependencies From 20e671ec984dbbfb738fa3b72a9e20715e334b2b Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Mon, 13 Oct 2025 16:53:07 +0200 Subject: [PATCH 20/21] Add security fixes to v2.14.7 changelog (cherry picked from commit 67072d3c5b50026dba702b4031eb4f22ea65ff3b) --- CHANGELOG.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b8636d5e5a..355d754dd9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -233,15 +233,27 @@ newer toolchains. ## 2.14.7 (2025-10-16) -This version includes a fix for sending signals and updates dependencies used -in Windows builds. +This release fixes multiple security issues. Two of them allow authenticated +API users to learn restricted information or crash Icinga 2. A third issue +affects the scripts provided with Icinga 2 and allows a limited privilege +escalation where the Icinga 2 daemon user can trick root into sending signals to +arbitrary processes. Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the [upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-15-1). -* Don't send signals as root in safe-reload script and logrotate config. #10597 +* CVE-2025-61907: Prevent API users from accessing variables and objects they + don't have access to within filter expressions. This allowed authenticated + API users to learn information they aren't allowed to access directly. +* CVE-2025-61908: Add a missing null pointer check while evaluating + expressions. This allowed authenticated API users to crash the Icinga 2 + daemon by supplying a crafted filter expression. +* CVE-2025-61909: Don't send signals as root in safe-reload script and + logrotate config. This allowed a limited privilege escalation from the Icinga + 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to + an arbitrary process. #10597 * Windows: Update to OpenSSL 3.0.18. #10595 * Windows: upgrade build toolchain to Visual Studio 2022. #10594 From 0b7034b7da202bd14a9197aa873ecc3612c90a30 Mon Sep 17 00:00:00 2001 From: Henrik Triem Date: Thu, 16 Feb 2023 13:42:55 +0100 Subject: [PATCH 21/21] Reword Changelog for SELinux Issue (cherry picked from commit 61dac6fbb2dd294d0d2e57b1b39d78b3ea43526f) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 355d754dd9a..993b619d27f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1099,7 +1099,7 @@ and repairs broken SELinux policies. ### Bugfixes -* SELinux: repair broken policies. #9689 +* SELinux: fix user and domain creation by explicitly setting the role. #9689 ### Enhancements