Today we’re announcing the general availability of Icinga Web v2.7.5, v2.8.3 and v2.9.0. Besides the compatibility with IcingaDB, the v2.9.0 release includes major enhancements to access control, support for PHP 8, the possibility to stay logged in during browser restarts and a full-fledged date-time picker in all browsers.
This release is accompanied by the minor releases v2.7.5 and v2.8.3 which include the security fixes mentioned below.
We continue our endeavour soon. Icinga Web 2 is still a crucial part of it and this update is again required for Icinga DB. If you like to participate again, don’t forget to update Icinga Web 2 as well.
This release includes two security related fixes. Both were published as part of a security advisory on Github. They allow the circumvention of custom variable protection rules and blacklists as well as a path traversal if the doc module is enabled. Please check the respective advisory for details.
- Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
- Possible path traversal by use of the doc module GHSA-cmgc-h4cx-3v43
RBAC, The Elephant In Icinga Web 2
Role Based Access Control, for the non-initiated. I’ll make it short: Permission refusals, Role inheritance, Privilege Audit. Icinga DB will also solve the long-standing issue #2455 and also allows #3349 and #3550. I’ve also written a blog post about this very topic.
- Authorization enhancements #4306
- Audit View #4336
- Highlight modules with permissions set inside a role #4241
Support for PHP 8
PHP 8 is released and with Icinga Web 2.9 it will now work flawlessly. We also took the chance to prepare to drop the support of some legacy PHP versions. We now require PHP 7.3 at a minimum and all versions below that will not be supported anymore with the release of v2.11.
Stay, Be Remembered
Have you ever been disappointed that Icinga Web 2 always forgets you after closing your browser? This is in your hands now! Just tick the new checkbox on the login screen and Icinga Web 2 doesn’t forget your presence anymore. Unless of course the administrator or you on a different device clears your session.
- Implement a “remember me” feature #2495
It Does Matter, When
Browsers are bad when it’s about date and time inputs. (I’m looking at you Mozilla!) Now we’ve given our hopes up and use a specifically invented solution to show you a date and time picker throughout every browser. With Icinga v2.13 onwards you will also be able to use this when defining an expiry date for comments! Though, you might not necessarily use it that often once you’ve configured new custom defaults for downtime endings.
- Add datetime picker widget #4354
- Expire Option for Comments #3447
- Custom defaults for downtime end, comment and duration #4364
Postponing new Dark/Light Themes
In an earlier blogpost we gave an introduction to new Dark/Light themes which were planned to be released with Icinga Web 2.9. We have decided to postpone those themes to a later release, due to the effect they have to our official modules and those built by the community. The decision was made in order to guarantee a smooth upgrade to all Icinga users, which currently requires some additional work. These new themes will be released with the next major version 2.10 instead.