Today we release Version Icinga 2.8.2, a bugfix release with a focus on security. Most of these have been brought to our attention by the community and we are very thankful for that. Special thanks to Michael H., Julian and Michael O., who helped by reporting and assisting us in fixing security bugs. CVEs have also been requested for these issues, they are as follows: CVE-2017-16933, CVE-2018-6532, CVE-2018-6533, CVE-2018-6534, CVE-2018-6535, CVE-2018-6536. The full advisory from Michaels point of view can be found on his website.
As a side effect of these fixes a few things need to be considered during the upgrade:
For one, the init.conf is gone. Everything that used to be configured in there, ie. Icinga user, Icinga group and resource limits, are now found in the sysconfig file (usually
/etc/sysconfig/icinga2). This means if you did manually edit
init.conf, to change the user icinga 2 runs as for example, you will have to move these changes to the sysconfig. See the documentation for details. Secondly we added the cli command
icinga2 api user which can be used to create ApiUser object configuration with hashed password strings.
If you did not change anything in
init.conf, all of this is optional and additive and the upgrade path is safe.
Additional changes and details can be found in the changelog.
Updating is strongly recommended. We are striving to make Icinga 2 as secure as possible, to that end we created a security mailbox for you to send us security reports and vulnerability information. We support the responsible disclosure of vulnerabilities and therefore ask for sufficient time to patch the issue before publishing the details.
Official packages are available on packages.icinga.com. Community repositories might need a while to catch up.