7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
An update that solves one vulnerability and has two fixes
is now available.
Description:
This update for icinga2 fixes the following issues:
Update to 2.12.1:
* Bugfixes
+ Core
- Fix crashes during config update #8348 #8345
- Fix crash while removing a downtime #8228
- Ensure the daemon doesn't get killed by logrotate #8170
- Fix hangup during shutdown #8211
- Fix a deadlock in Icinga DB #8168
- Clean up zombie processes during reload #8376
- Reduce check latency #8276
+ IDO
- Prevent unnecessary IDO updates #8327 #8320
- Commit IDO MySQL transactions earlier #8349
- Make sure to insert IDO program status #8330
- Improve IDO queue stats logging #8271 #8328 #8379
+ Misc
- Ensure API connections are closed properly #8293
- Prevent unnecessary notifications #8299
- Don't skip null values of command arguments #8174
- Fix Windows .exe version #8234
- Reset Icinga check warning after successful config update #8189
Update to 2.12.0:
* Breaking changes
- Deprecate Windows plugins in favor of our
- PowerShell plugins #8071
- Deprecate Livestatus #8051
- Refuse acknowledging an already acknowledged checkable #7695
- Config lexer: complain on EOF in heredocs, i.e. {{{abc<EOF> #7541
* Enhancements
+ Core
- Implement new database backend: Icinga DB #7571
- Re-send notifications previously suppressed by their time periods
#7816
+ API
- Host/Service: Add acknowledgement_last_change and next_update
attributes #7881 #7534
- Improve error message for POST queries #7681
- /v1/actions/remove-comment: let users specify themselves #7646
- /v1/actions/remove-downtime: let users specify themselves #7645
- /v1/config/stages: Add ‘activate’ parameter #7535
+ CLI
- Add pki verify command for better TLS certificate troubleshooting
#7843
- Add OpenSSL version to ‘Build’ section in --version #7833
- Improve experience with ‘Node Setup for Agents/Satellite’ #7835
+ DSL
- Add get_template() and get_templates() #7632
- MacroProcessor::ResolveArguments(): skip null argument values #7567
- Fix crash due to dependency apply rule with ignore_on_error and
non-existing parent #7538
- Introduce ternary operator (x ? y : z) #7442
- LegacyTimePeriod: support specifying seconds #7439
- Add support for Lambda Closures (() use(x) => x and () use(x) => {
return x }) #7417
+ ITL
- Add notemp parameter to oracle health #7748
- Add extended checks options to snmp-interface command template
#7602
- Add file age check for Windows command definition #7540
+ Docs
- Development: Update debugging instructions #7867
- Add new API clients #7859
- Clarify CRITICAL vs. UNKNOWN #7665
- Explicitly explain how to disable freshness checks #7664
- Update installation for RHEL/CentOS 8 and SLES 15 #7640
- Add Powershell example to validate the certificate #7603
+ Misc
- Don’t send event::Heartbeat to unauthenticated peers #7747
- OpenTsdbWriter: Add custom tag support #7357
* Bugfixes
+ Core
- Fix JSON-RPC crashes #7532 #7737
- Fix zone definitions in zones #7546
- Fix deadlock during start on OpenBSD #7739
- Consider PENDING not a problem #7685
- Fix zombie processes after reload #7606
- Don’t wait for checks to finish during reload #7894
+ Cluster
- Fix segfault during heartbeat timeout with clients not yet signed
#7970
- Make the config update process mutually exclusive (Prevents file
system race conditions) #7936
- Fix check_timeout not being forwarded to agent command endpoints
#7861
- Config sync: Use a more friendly message when configs are equal
and don’t need a reload #7811
- Fix open connections when agent waits for CA approval #7686
- Consider a JsonRpcConnection alive on a single byte of TLS
payload, not only on a whole message #7836
- Send JsonRpcConnection heartbeat every 20s instead of 10s #8102
- Use JsonRpcConnection heartbeat only to update connection liveness
(m_Seen) #8142
- Fix TLS context not being updated on signed certificate messages
on agents #7654
+ API
- Close connections w/o successful TLS handshakes after 10s #7809
- Handle permission exceptions soon enough, returning 404 #7528
+ SELinux
- Fix safe-reload #7858
- Allow direct SMTP notifications #7749
+ Windows
- Terminate check processes with UNKNOWN state on timeout #7788
- Ensure that log replay files are properly renamed #7767
+ Metrics
- Graphite/OpenTSDB: Ensure that reconnect failure is detected #7765
- Always send 0 as value for thresholds #7696
+ Scripts
- Fix notification scripts to stay compatible with Dash #7706
- Fix bash line continuation in mail-host-notification.sh #7701
- Fix notification scripts string comparison #7647
- Service and host mail-notifications: Add line-breaks to very long
output #6822
- Set correct UTF-8 email subject header (RFC1342) #6369
+ Misc
- DSL: Fix segfault due to passing null as custom function to
Array#{sort,map,reduce,filter,any,all}() #8053
- CLI: pki save-cert: allow to specify --key and --cert for
backwards compatibility #7995
- Catch exception when trusted cert is not readable during node
setup on agent/satellite #7838
- CheckCommand ssl: Fix wrong parameter -N #7741
- Code quality fixes
- Small documentation fixes
Update to 2.11.5 Version 2.11.5 fixes file system race conditions in the
config update process occurring in large HA environments and improves
the cluster connection liveness mechanisms.
Update to 2.11.4 Version 2.11.4 fixes a crash during a heartbeat timeout
with clients not yet signed. It also resolves an issue with endpoints
not reconnecting after a reload/deploy, which caused a lot of UNKNOWN
states.
Update to 2.11.3
Set minimum require boost version to 1.66
Fix boo#1159869 Permission error when use the icinga cli wizard.
BuildRequire pkgconfig(libsystemd) instead of systemd-devel: Aloow OBS
to shortcut through the -mini flavors.
Update to 2.11.2 This release fixes a problem where the newly introduced
config sync “check-change-then-reload” functionality could cause endless
reload loops with agents. The most visible parts are failing command
endpoint checks with “not connected” UNKNOWN state. Only applies to HA
enabled zones with 2 masters and/or 2 satellites.
Update to 2.11.1 This release fixes a hidden long lasting bug unveiled
with 2.11 and distributed setups. If you are affected by
agents/satellites not accepting configuration anymore, or not reloading,
please upgrade.
Update to 2.11.0
Update to 2.10.6
update to 2.10.5
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-1820=1
openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-1820=1
openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2020-1820=1
openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-1820=1
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P