Releasing Icinga 2.11.8 + 2.12.3: Security and small improvements

by | Dec 15, 2020

Today we are releasing the 2.11.8 and 2.12.3 security & bugfix releases. Both versions contain the same changes.

They resolve a security vulnerability with revoked certificates being renewed automatically ignoring the CRL, issues with high load on Windows regarding the config sync and an issue where users weren’t able to disable/enable Icinga 2 features over the API.

Security

  • Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)

When a CRL is specified in the ApiListener configuration, Icinga 2 only used it when connections were established so far, but not when a certificate is requested. This allows a node to automatically renew a revoked certificate if it meets the other conditions for auto renewal (issued before 2017 or expires in less than 30 days).

Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years, this only affects setups with external certificate signing and revoked certificates that expire in less then 30 days.

 

Bugfixes

  • Improve config sync locking – resolves high load issues on Windows (#8510 / #8511)
  • Fix runtime config updates being ignored for objects without zone (#8550 / #8549)
  • Use proper buffer size for OpenSSL error messages (#8543 / #8542)

Enhancements

  • On checkable recovery: re-check children that have a problem (#8560 / #8506)

 

You May Also Like…

Subscribe to our Newsletter

A monthly digest of the latest Icinga news, releases, articles and community topics.